diff options
| author | Andreas Sommer <andreas.sommer87@googlemail.com> | 2019-08-22 10:41:47 +0200 |
|---|---|---|
| committer | Jose <jose@zeroc.com> | 2019-09-06 18:51:54 +0200 |
| commit | 41c685a40b74f224000b9fe75b5599ad700166ca (patch) | |
| tree | 25086c450b883dda48b3749454b0d244aef20658 | |
| parent | Implement server name indication (SNI) for OpenSSL and SecureTransport backen... (diff) | |
| download | ice-41c685a40b74f224000b9fe75b5599ad700166ca.tar.bz2 ice-41c685a40b74f224000b9fe75b5599ad700166ca.tar.xz ice-41c685a40b74f224000b9fe75b5599ad700166ca.zip | |
Implement server name indication (SNI) for IceSSL Java
| -rw-r--r-- | java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java index 04969a4a8ce..e4170efe016 100644 --- a/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java +++ b/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java @@ -8,6 +8,8 @@ import java.io.InputStream; import java.util.ArrayList; import java.util.List; import java.security.cert.*; +import javax.net.ssl.SNIHostName; +import javax.net.ssl.SNIServerName; import javax.net.ssl.SSLParameters; import com.zeroc.Ice.PluginInitializationException; @@ -88,6 +90,12 @@ class SSLEngine _checkCertName = properties.getPropertyAsIntWithDefault(prefix + "CheckCertName", 0) > 0; // + // ServerNameIndication determines whether the SNI extension applies to client connections, + // indicating the hostname to the server (must be DNS hostname, not an IP address). + // + _serverNameIndication = properties.getPropertyAsIntWithDefault(prefix + "ServerNameIndication", 1) > 0; + + // // VerifyDepthMax establishes the maximum length of a peer's certificate // chain, including the peer's certificate. A value of 0 means there is // no maximum. @@ -877,6 +885,28 @@ class SSLEngine } } + // Server name indication + if (!incoming && _serverNameIndication) + { + SNIHostName serverName = null; + try + { + serverName = new SNIHostName(host); + } + catch(IllegalArgumentException ex) + { + // Invalid SNI hostname, ignore because it might be an IP + } + if (serverName != null) + { + SSLParameters sslParams = engine.getSSLParameters(); + List<SNIServerName> serverNames = new ArrayList<>(); + serverNames.add(serverName); + sslParams.setServerNames(serverNames); + engine.setSSLParameters(sslParams); + } + } + try { engine.beginHandshake(); @@ -1191,6 +1221,7 @@ class SSLEngine private boolean _noCiphers; private String[] _protocols; private boolean _checkCertName; + private boolean _serverNameIndication; private int _verifyDepthMax; private int _verifyPeer; private CertificateVerifier _verifier; |