From 41c685a40b74f224000b9fe75b5599ad700166ca Mon Sep 17 00:00:00 2001
From: Andreas Sommer <andreas.sommer87@googlemail.com>
Date: Thu, 22 Aug 2019 10:41:47 +0200
Subject: Implement server name indication (SNI) for IceSSL Java

---
 .../src/main/java/com/zeroc/IceSSL/SSLEngine.java  | 31 ++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'java')

diff --git a/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java
index 04969a4a8ce..e4170efe016 100644
--- a/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java
+++ b/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/SSLEngine.java
@@ -8,6 +8,8 @@ import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.List;
 import java.security.cert.*;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLParameters;
 import com.zeroc.Ice.PluginInitializationException;
 
@@ -87,6 +89,12 @@ class SSLEngine
         //
         _checkCertName = properties.getPropertyAsIntWithDefault(prefix + "CheckCertName", 0) > 0;
 
+        //
+        // ServerNameIndication determines whether the SNI extension applies to client connections,
+        // indicating the hostname to the server (must be DNS hostname, not an IP address).
+        //
+        _serverNameIndication = properties.getPropertyAsIntWithDefault(prefix + "ServerNameIndication", 1) > 0;
+
         //
         // VerifyDepthMax establishes the maximum length of a peer's certificate
         // chain, including the peer's certificate. A value of 0 means there is
@@ -877,6 +885,28 @@ class SSLEngine
             }
         }
 
+        // Server name indication
+        if (!incoming && _serverNameIndication)
+        {
+            SNIHostName serverName = null;
+            try
+            {
+                serverName = new SNIHostName(host);
+            }
+            catch(IllegalArgumentException ex)
+            {
+                // Invalid SNI hostname, ignore because it might be an IP
+            }
+            if (serverName != null)
+            {
+                SSLParameters sslParams = engine.getSSLParameters();
+                List<SNIServerName> serverNames = new ArrayList<>();
+                serverNames.add(serverName);
+                sslParams.setServerNames(serverNames);
+                engine.setSSLParameters(sslParams);
+            }
+        }
+
         try
         {
             engine.beginHandshake();
@@ -1191,6 +1221,7 @@ class SSLEngine
     private boolean _noCiphers;
     private String[] _protocols;
     private boolean _checkCertName;
+    private boolean _serverNameIndication;
     private int _verifyDepthMax;
     private int _verifyPeer;
     private CertificateVerifier _verifier;
-- 
cgit v1.2.3