Idea ID: 2746969

smartconnectors: Suport TLS SNI correctly

Status : Declined
over 1 year ago

Hi,

I found an issue with the flex REST-API connector.

It is unable to handle SNI correctly i.e.

when you connecto to a server which servers more then one https URL, the connector does not follow the "SNI"  (https://en.wikipedia.org/wiki/Server_Name_Indication) correctly and gets the "server default certificate" instead of the cerificate it should get.

Example

- imagine there wold be a rest api running on URL https://lifeistoshort.com
- the server is also serving different URLs like https://icecreamforfree.com

the server presents for whatever reason, the certificate for icecreamforfree.com if you just call the IP/hostname - and thats what the smartconnector is doing.

if the SC would  "handle the TLS connection" correctly, the server would present the lifeistoshort.com certificate.

 

you can test this via asd

1) openssl s_client -showcerts -connect lifeistoshort.com:443
2) openssl s_client -showcerts -connect lifeistoshort.com:443 -servername lifeistoshort.com

in case 1 you get the icecreamforfree.com certificate and in
case 2 you get the right lifeistoshort.com certificate.

 

doing some research i found a hint for the solution, unsure if the code is already in place and it is an other issue however thi site https://bugs.openjdk.java.net/browse/JDK-8173168 says you should ude SSLParameters.setServerNames() to solve the issue.

I also file a SR for this: SD02590356

which has some more details, like pcaps etc.

looking forward for the FR to get implemented

Regard

A.

 

 

  • I've declined this request not because it is not valid, but because it is a bug in the software and it should be reported through the Support organization to be addressed in the current code base.

    Please open a support ticket for this behavior.