设置“jsse.enableSNIExtension”的安全后果是什么?假的? [英] What are the security consequences of setting "jsse.enableSNIExtension" to false?
问题描述
我目前有一个应用程序可以向很多URL发出HTTP post请求。一些连接失败,但有以下异常。
I currently have an application that would make HTTP post request to a lot of URLs. Some of the connections are failing with the following exception.
线程中的异常mainjavax.net.ssl.SSLProtocolException:
握手警报:
sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410)的未识别名称
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2004)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185 )
at
sun.net.www.protoco l.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at
com.amazon.cba.iopn.test.MainTest.connectWithFallbackIfRequired(MainTest.java:246)
at
com.amazon.cba.iopn.test.MainTest.createHttpConnection(MainTest.java:201)
at com.amazon.cba.iopn.test.MainTest.processLine(MainTest.java:105)
在com.amazon.cba.iopn.test.MainTest.main(MainTest.java:99)
Exception in thread "main" javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2004) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at com.amazon.cba.iopn.test.MainTest.connectWithFallbackIfRequired(MainTest.java:246) at com.amazon.cba.iopn.test.MainTest.createHttpConnection(MainTest.java:201) at com.amazon.cba.iopn.test.MainTest.processLine(MainTest.java:105) at com.amazon.cba.iopn.test.MainTest.main(MainTest.java:99)
我读完后想出来来自net的其他文章,这是服务器配置的问题。响应中的服务器抛出一个警告,Java将其视为异常。解决方法是将 jsse.enableSNIExtension 设置为 false 。
I figure out after reading other articles from net that this is an issue with the server configuration. The server in reply throws a warning which Java treats as Exception. The workaround is to set jsse.enableSNIExtension to "false".
- 什么是客户公开的安全风险,如果它将 jsse.enableSNIExtension 系统属性设置为 false ?
- What are the security risk the client exposes, if it sets the jsse.enableSNIExtension system property to false?
PS: 我们尝试通过HTTPS连接的所有网址。因此,将有来自oracle的证书验证。
PS: All URLs that we are trying to connect over HTTPS. So, there will be certificate verification.
推荐答案
( http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide .html ):
它启用与虚拟服务器的TLS连接,其中托管不同网络名称的多个服务器单个底层网络地址
It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address
如果禁用jsse.enableSNIExtension,您将无法连接到虚拟服务器下的页面
If you disable jsse.enableSNIExtension you won't be able to connect to pages under a virtual server
这篇关于设置“jsse.enableSNIExtension”的安全后果是什么?假的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
