Mercurial > hg > monetdb-java

changeset 804:361441253305 monetdbs

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Send SNI (Server Name Indication)
author Joeri van Ruth <joeri.van.ruth@monetdbsolutions.com>
date Mon, 11 Dec 2023 15:04:59 +0100 (16 months ago)
parents 1671f2eb130b
children 2fee4b71baac
files src/main/java/org/monetdb/mcl/net/SecureSocket.java tests/TLSTester.java
diffstat 2 files changed, 14 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/src/main/java/org/monetdb/mcl/net/SecureSocket.java
+++ b/src/main/java/org/monetdb/mcl/net/SecureSocket.java
@@ -8,6 +8,8 @@ import java.security.*;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.List;
 
 public class SecureSocket {
     private static final String[] ENABLED_PROTOCOLS = {"TLSv1.3"};
@@ -16,32 +18,29 @@ public class SecureSocket {
     public static Socket wrap(Target.Validated validated, Socket inner) throws IOException {
         Target.Verify verify = validated.connectVerify();
         SSLSocketFactory socketFactory;
+        boolean checkName = true;
         try {
             switch (verify) {
                 case System:
                     socketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
-                    return wrapSocket(inner, validated, socketFactory, true);
+                    break;
                 case Cert:
-                        KeyStore keyStore = keyStoreForCert(validated.getCert());
-                        socketFactory = certBasedSocketFactory(keyStore);
-                    return wrapSocket(inner, validated, socketFactory, true);
+                    KeyStore keyStore = keyStoreForCert(validated.getCert());
+                    socketFactory = certBasedSocketFactory(keyStore);
+                    break;
                 case Hash:
-                    return wrapHash(validated, inner);
+                    socketFactory = hashBasedSocketFactory(validated.connectCertHashDigits());
+                    checkName = false;
+                    break;
                 default:
                     throw new RuntimeException("unreachable: unexpected verification strategy " + verify.name());
             }
+            return wrapSocket(inner, validated, socketFactory, checkName);
         } catch (CertificateException e) {
             throw new SSLException(e.getMessage(), e);
         }
     }
 
-    private static Socket wrapHash(Target.Validated validated, Socket inner) throws IOException, CertificateException {
-        SSLSocketFactory socketFactory = hashBasedSocketFactory(validated.connectCertHashDigits());
-        SSLSocket sock = wrapSocket(inner, validated, socketFactory, false);
-
-        return sock;
-    }
-
     private static SSLSocket wrapSocket(Socket inner, Target.Validated validated, SSLSocketFactory socketFactory, boolean checkName) throws IOException {
         SSLSocket sock = (SSLSocket) socketFactory.createSocket(inner, validated.connectTcp(), validated.connectPort(), true);
 
@@ -50,6 +49,8 @@ public class SecureSocket {
 
         if (checkName) {
             SSLParameters parameters = sock.getSSLParameters();
+            SNIServerName serverName = new SNIHostName(validated.connectTcp());
+            parameters.setServerNames(Collections.singletonList(serverName));
             parameters.setEndpointIdentificationAlgorithm("HTTPS");
             sock.setSSLParameters(parameters);
         }
--- a/tests/TLSTester.java
+++ b/tests/TLSTester.java
@@ -132,7 +132,7 @@ public class TLSTester {
 //        test_connect_client_auth2();
         test_fail_tls_to_plain();
         test_fail_plain_to_tls();
-//        test_connect_server_name();
+        test_connect_server_name();
 //        test_connect_alpn_mapi9();
         test_connect_trusted();
         test_refuse_trusted_wrong_host();