如何仅将单个HTTPURLConnection的"jsse.enableSNIExtension"设置为false? [英] How to set “jsse.enableSNIExtension” to false only for a single HTTPURLConnection?
问题描述
我目前有一个可以对许多URL进行HTTP发布请求的应用程序.某些连接失败,但出现以下异常.
I currently have an application that would make HTTP post request to a lot of URLs. Some of the connections are failing with the following exception.
线程主"中的异常javax.net.ssl.SSLProtocolException: 握手警报:位于无法识别的名称 sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410) 在sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2004) 在sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) 在 sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) 在 sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
Exception in thread "main" javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2004) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
. .
因此,我只想将抛出上述异常的特定连接的"jsse.enableSNIExtension"设置为false.
Hence, I want to set "jsse.enableSNIExtension" to false only for specific connections which throw the above mentioned exception.
如何在HTTPsURLConnection/SSLSocket级别上做到这一点?
How do I do it on an HTTPsURLConnection/SSLSocket level?
代码
URL url = new URL("https://artofskinmd.localgiftcards.com/");
HttpURLConnection httpConnection = (HttpURLConnection) url.openConnection();
httpConnection.connect();
我正在尝试找到一种方法来更改HttpsURLConnection对象的SSLParameters.但是我找不到用于设置空服务器名称列表的任何setSSLParameters()方法.在为HttpURLConnection,SSLContext等设置SSLParameters时,我无法在线找到任何内容
I am trying to find a way to change the SSLParameters for the HttpsURLConnection object. But I am unable to find any setSSLParameters() method for setting an empty server names list. I am not able to find anything online on setting SSLParameters for HttpURLConnection, SSLContext etc
推荐答案
很明显,该站点依赖于SNI,否则它不会关心客户端在SNI扩展中发送的名称.这意味着禁用扩展名可能无济于事,但是相反,您将获得一些握手失败或某些默认站点(和证书),而可能不是您想要的站点.要解决此问题,您不应该禁用SNI,而应使用正确的名称,即站点期望的名称.
Obviously the site depends on SNI, otherwise it would not care about the name sent by the client in the SNI extension. This means that disabling the extension will probably not help, but instead you would then either get some handshake failure or some default site (and certificate) and probably not the site you have intended. To fix the problem you should not disable SNI but instead use the correct name, i.e. the name expected by the site.
这看起来既是服务器配置错误,又是Java7和Java8中的错误.访问URL https://artofskinmd.localgiftcards.com/将导致出现一个unknown_name TLS警报 warning (警告),该警告将Java7和Java8错误地认为是致命的(与非常老的OpenSSL 0.9.8相同).在这种情况下,禁用SNI实际上会有所帮助,但是似乎没有办法为单个HttpURLConnection对象禁用SNI.
This looks like both a bad server configuration together with a bug in Java7 and Java8. Access to the URL https://artofskinmd.localgiftcards.com/ will result in a unknown_name TLS alert warning which Java7 and Java8 wrongly consider fatal (same as the very old OpenSSL 0.9.8). Disabling SNI will actually help in this case, but there seems to be no way to disable SNI for a single HttpURLConnection object.
这篇关于如何仅将单个HTTPURLConnection的"jsse.enableSNIExtension"设置为false?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
