ssl handshakes and SNI

[grantmacken]

Server Name Indentification (SNI)
If a http client does not send server_name as part of the TLS hello handshake then the server will send back the wrong certificate and the host name verification stage will fail. This failure happens when I use the expath httpclient module. Other http clients like curl and openssl (client mode) have ways of setting the server_name

I am pretty sure is what is happening as I could not grep the server_name when I used the expath httpclient module in ssl debug mode in eXistdb
My suggestion is to add some tests for some known SNI served sites

https://sni.velox.ch/
https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing

If they work, when tested with the expath-http-client then I'm wrong

[adamretter]

@grantmacken I am not knowledgable about SNI. If you could provide an example of how to do SNI with the Apache HTTP Components libraries then I could certainly take a look at fixing this.

[grantmacken]

https://wiki.apache.org/HttpComponents/SNISupport
SNI resolution success or failure, happens at the connection phase ( SSL ) prior to making a HTTP request.

The reason why SNI is so important is that it is the only way a web developer can get multiple domains served over HTTPS on a single IP address. Big business sites don't use SNI because they can afford not to, but in the age of single idea Web Apps, or public facing REST APIs, for a web developer, it is the best thing since sliced bread.

I suggest testing with a known SNI enable website
https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing

I checked by grepping the string 'server_name' in the logged output of an eXistdb instance
ran in java SSL debug mode.

note: The Makefile in samples folder in the expath-http-client-java repo
has a missing inc file referenced in Makefile so the examples won't run.

[adamretter]

@grantmacken I think you might have closed this ticket by accident?

[adamretter]

@grantmacken So that SNI thing should be fixed in my fork of expath-http-client-java. Those updates have also been merged into eXist-db develop branch, so tomorrow's nightly should work for you (or of course you can build from GitHub HEAD).