JEP 114: TLS SNI Extension - SunJSSE Behavior Changes (Continue)

Students Apartment, Harbin Institute of Technology (HIT), China

The implementation of JEP 114 (TLS Server Name Indication (SNI) Extension) had integrated into JDK 8 at October, 2012. In the previous blog entry, we talked about the behavior changes in client and server mode. This blog entry will continue to talk about behavior changes in key manager and trust manager of JSSE. Please refer to javax.net.ssl package of JDK 8 APIs for the detailed specification.

Server Name Indication (SNI) sensitive KeyManager


In JDK 7 and previous releases, the KeyManager of server is not server name indication sensitive. The KeyManager of SunJSSE provider does not check the server name indication in order to get the proper key and certificate.

In JDK 8, the KeyManager of server of SunJSSE provider will try check the server name indication in extension and select the appropriate keys according to requested server name indication.

For example, supposed that there are three key/cert entries in server key store. The subject of the certs are "cn=www.example.com", "cn=www.invalid.com" and "cn=www.example.net". When the client requested server name indication is "www.example.net", the server should be able to select the cert with subject "cn=www.example.net", rather than the other two certs.

Server name indication sensitive TrustManager


Endpoint identification can be based on IP address or literal hostname.

In JDK 7, if a SSL/TSL connection specified the literal hostname of the server, the hostname will be used to make the endpoint identification against the peer's identity presented in the end-entity X.509 certificate.

For example:
 
        SSLSocketFactory factory = ...
        SSLSocket sslSocket = factory.createSocket("www.example.com", 443);

the hostname, "www.example.com" will be used to make the endpoint identification.


While for
        SSLSocketFactory factory = ...
        SSLSocket sslSocket = factory.createSocket("172.16.10.6", 443);

as the hostname is an IP address, the endpoint identification cannot be used for literal hostname.


In JDK 8, developers have a chance to explicitly set the server name indication with SSLParameters.setServerNames(List<SNIServerName> serverNames). The server name indication in client mode also has impact on endpoint identification.

In SunJSSE provider, in client mode, the endpoint identification in the implementation of X509ExtendedTrustManager will make use of the server name indication, retrieved by ExtendedSSLSession.getRequestedServerNames().

For example:
        SSLSocketFactory factory = ...
        SSLSocket sslSocket = factory.createSocket("172.16.10.6", 443);
        // SSLEngine sslEngine = sslContext.createSSLEngine("172.16.10.6", 443);
 
        SNIHostName serverName = new SNIHostName("www.example.com");
        List<SNIServerName> serverNames = new ArrayList<>(1);
        serverNames.add(serverName);
 
        SSLParameters params = sslSocket.getSSLParameters();
        params.setServerNames(serverNames);
        sslSocket.setSSLParameters(params);
        // sslEngine.setSSLParameters(params);
the hostname in server name indication, "www.example.com", will be used to make endpoint identification against the peer's identity presented in the end-entity X.509 certificate.


More blog entries about TLS Server Name Indication (SNI) Extension:
TLS Server Name Indication Extension and Unrecognized_name
JEP 114: TLS SNI Extension - SunJSSE Behavior Changes
JEP 114: TLS SNI Extension - Typical User Cases
JEP 114: TLS SNI Extension - Virtual Servers Dispatcher

Popular posts from this blog

Java™ SE 7 Release Security Enhancements - Weak Cryptography Control

JSSE Oracle Provider Preference of TLS Cipher Suites