我遇到了我不了解的Java SNI SSL行为。在Java中使用SNI时,我希望Google不会为无效的主机名提供任何证书,但是会提供。
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("src/main/resources/empty.keystore"), "password".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(keystore, "password".toCharArray());
KeyStore trustStore = KeyStore.getInstance("JKS");
// truststore contains single trusted certificate with serial number: 0x72a9296669b20ad60800000000320a0a
trustStore.load(new FileInputStream("src/main/resources/client-test-cn.truststore"), "password".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
SSLParameters sslParameters = socket.getSSLParameters();
sslParameters.setServerNames(Arrays.asList(new SNIHostName("microsoft.com")));
// Google provides certificate with serial number: 0x72a9296669b20ad60800000000320a0a
// CN=*.google.com,O=Google LLC,L=Mountain View,ST=California,C=US
// CN=GTS CA 1O1,O=Google Trust Services,C=US
// this works as this certificate is in the trust store
// handshake log: Extension server_name, server_name: [type=host_name (0), value=microsoft.com]
// ????? why does Google provide Google certificate for invalid hostname ?????
// sslParameters.setServerNames(Arrays.asList(new SNIHostName("google.com")));
// Google provides certificate with serial number: 0xcbfd0b2561656ea202000000005c675c
// this does NOT work as intentionally this certificate is missing from truststore
// handshake log: Extension server_name, server_name: [type=host_name (0), value=google.com]
sslParameters.setProtocols(new String[] {"TLSv1.2"});
socket.setSSLParameters(sslParameters);
socket.connect(new InetSocketAddress(InetAddress.getByName("google.com"), 443));
socket.addHandshakeCompletedListener(event -> System.out.println("----- HANDSHAKE DONE -----"));
socket.startHandshake();
当通过SNI扩展名请求无效的主机名时,为什么Google会完全提供其证书?没有匹配的主机名时,提供随机/默认证书是SNI的一部分吗?
答案 0 :(得分:0)
在没有匹配的主机名时,提供随机/默认证书是SNI的一部分吗?
SNI并不指示服务器的特定行为。它提供的所有方法都是服务器可以找出客户端要访问哪个域的一种方式。
服务器的行为非常不同:有些服务器完全忽略SNI,因为它们始终只有一个配置和证书。如果没有提供SNI或不匹配,则其他一些具有默认值。如果SNI提供的名称与特定配置不匹配,其余的通常会引发某种错误。