JEP 114: TLS SNI Extension - Typical User Cases
The implementation of JEP 114 (TLS Server Name Indication (SNI) Extension) had integrated into JDK 8 at October, 2012. In the previous two blog entries, we talked about the behavior changes in JSSE. Let's look at a few typical user cases. Please refer to javax.net.ssl package of JDK 8 APIs for the detailed specification.
Disable the server name indication with empty server name list:
But third parties' providers may not support default server name indication. It is recommended to use Case C-1 to be provider independent.
Case S-6: I want to switch a socket from client mode to server mode
The socket was in client mode, but I need it work in server mode. Firstly, need to switch the mode:
More blog entries about TLS Server Name Indication (SNI) Extension:
TLS Server Name Indication Extension and Unrecognized_name
JEP 114: TLS SNI Extension - SunJSSE Behavior Changes
JEP 114: TLS SNI Extension - SunJSSE Behavior Changes (Continue)
JEP 114: TLS SNI Extension - Virtual Servers Dispatcher
Client side user cases
Case C-1: I want to access "www.example.com"
Set the host name explicit.
SNIHostName serverName = new SNIHostName("www.example.com"); List<SNIServerName> serverNames = new ArrayList<>(1); serverNames.add(serverName); sslParameters.setServerNames(serverNames);It is recommend that the client always specify the host name.
Case C-2: I don't want to use server name indication
The server side terminates the transaction if server name indication is presented. I cannot use server name indication because of the compatibility issues in server side.Disable the server name indication with empty server name list:
List<SNIServerName> serverNames = new ArrayList<>(1); sslParameters.setServerNames(serverNames);
Case C-3: I want to access URL, "https://www.example.com"
Doing nothing in SunJSSE, the provider default behaviors will set the hostname for me. I don't have to care about what's the real server name indication.But third parties' providers may not support default server name indication. It is recommended to use Case C-1 to be provider independent.
Case C-4: I want to switch a socket from server mode to client mode
The socket was in server mode, but I need it work in client mode. Firstly, need to switch the mode:Set the host name explicit.sslSocket.setUseClientMode(true);Secondly, need to reset the server name indication parameters in server mode, see case S-1~S-5 for different purposes.
Server side user cases
Case S-1: I want to accept all kind of server name indication
Doing nothing, the server will ignore the server name indication.
Case S-2: I want to deny all server name indication of type host_name
Set an invalid server name pattern for host_name:SNIMatcher matcher = SNIHostName.createSNIMatcher(""); Collection<SNIMatcher> matchers = new ArrayList<>(1); matchers.add(matcher); sslParameters.setSNIMatchers(matchers);Or define a new SNIMatcher extension, which the matches() method always returns false.
class DenialSNIMatcher extends SNIMatcher { DenialSNIMatcher() { super(StandardConstants.SNI_HOST_NAME); } @Override public boolean matches(SNIServerName serverName) { return false; } } SNIMatcher matcher = new DenialSNIMatcher(); Collection<SNIMatcher> matchers = new ArrayList<>(1); matchers.add(matcher); sslParameters.setSNIMatchers(matchers);
Case S-3: I want to be accessed as "www.example.com"
Set the recognizable server name for "host_name" as "www.example.com":SNIMatcher matcher = SNIHostName.createSNIMatcher("www\\.example\\.com"); Collection<SNIMatcher> matchers = new ArrayList<>(1); matchers.add(matcher); sslParameters.setSNIMatchers(matchers);
Case S-4: I want to be accessed as "www.example.com" or "www.example.net"
Set the recognizable server name for "host_name" as "www.example.com" or "www.example.net":SNIMatcher matcher = SNIHostName.createSNIMatcher("www\\.example\\.(com|net)"); Collection<SNIMatcher> matchers = new ArrayList<>(1); matchers.add(matcher); sslParameters.setSNIMatchers(matchers);
Case S-5: I want to be accessed as any hostname in the example.com domain
Set the recognizable server name for "host_name" as "*.example.com":SNIMatcher matcher = SNIHostName.createSNIMatcher("(.*\\.)*example\\.com"); Collection<SNIMatcher> matchers = new ArrayList<>(1); matchers.add(matcher); sslParameters.setSNIMatchers(matchers);
Case S-6: I want to switch a socket from client mode to server mode
sslSocket.setUseClientMode(true);Secondly, need to reset the server name indication in client mode, see case C-1-C-3 for different purpose.
More blog entries about TLS Server Name Indication (SNI) Extension:
TLS Server Name Indication Extension and Unrecognized_name
JEP 114: TLS SNI Extension - SunJSSE Behavior Changes
JEP 114: TLS SNI Extension - SunJSSE Behavior Changes (Continue)
JEP 114: TLS SNI Extension - Virtual Servers Dispatcher