TLS扩展名“服务器名称指示” （SNI）：服务器端不可用的值 [英] TLS extension "Server Name Indication" (SNI): value not available on server side

问题描述

基于JSSE示例，我试图在服务器端获取TLS参数服务器名称指示（SNI）的值 - 但没有成功。我确信该值是由客户端发送的，因为我使用了显示该值的网络嗅探器（Wireshark）。

Based on the JSSE examples, I'm trying to get the value of the TLS parameter "Server Name Indication" (SNI) on the server side - without success. I'm sure that the value is sent by the client since I used a network sniffer (Wireshark) that shows the value.

但是当我使用下面的代码片段时，服务器名称参数列表为空（显示协议）：

But when I use the following code fragment, the list of server name parameters is empty (while the "protocols" are shown):

public void connectionAccepted(Socket socket) 
{ 
  System.out.println("Connection accepted!"); 
  try { 
    /* get SNI parameter */ 
    SSLSocket sslSocket = (SSLSocket)socket; 
    SSLParameters sslParams = sslSocket.getSSLParameters(); 

    List<SNIServerName> serverNames = sslParams.getServerNames(); 
    for(SNIServerName item : serverNames){ 
      System.out.println("SNI: " + item.toString()); 
    } 

    String[] protocols = sslParams.getProtocols(); 
    for(String item : protocols) { 
      System.out.println("Protocols: " + item.toString()); 
    } 
  } catch (Exception e) { 
    e.printStackTrace(); 
  } 
} 

推荐答案

无论什么原因，Java SNI实现显然不提供服务器端的实际主机名。相反，文档[1]（在基于SSLSocket的虚拟服务器调度程序下）建议手动解析初始SSL数据包并从那里提取服务器名称。

For whatever reason, the Java SNI implementation apparently does not provide the actual host name on the server side. Instead, the documentation [1] (under "Virtual Server Dispatcher Based on SSLSocket") recommends manually parsing the initial SSL packet and extracting the server name from there.

你可以还使用SNIMatcher [2]要求客户端提供某个名称;如果匹配器不匹配，则客户端在SSL层获取错误。

You could also use an SNIMatcher [2] to require that the client provides a certain name; if the matcher does not match, then the client gets an error at the SSL layer.

[1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/ jsse / JSSERefGuide.html＃SNIExamples
[2] http://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SNIMatcher.html

更新：我编写了一个自定义SNI解析器，它的工作原理如下：客户端将SNI作为SSL ClientHello消息的一部分发送，这是第一个作为设置的一部分发送的消息建立SSL连接。我的实现首先解析它，然后使用与请求的主机名匹配的正确服务器端证书设置SSLEngine。

Update: I've written a custom SNI parser and it works like this: the client sends the SNI as part of the SSL ClientHello message, which is the first message sent as part of setting up an SSL connection. My implementation first parses that, and then sets up an SSLEngine with the right server-side certificate matching the requested host name.

这篇关于TLS扩展名“服务器名称指示” （SNI）：服务器端不可用的值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！