[jboss-jira] [JBoss JIRA] (WFLY-7351) JAX-RS Http Client does not support SNI even though underlying Apache HttpClient version supports it
Edvin Syse (JIRA)
issues at jboss.org
Wed Oct 19 13:31:00 EDT 2016
Edvin Syse created WFLY-7351:
--------------------------------
Summary: JAX-RS Http Client does not support SNI even though underlying Apache HttpClient version supports it
Key: WFLY-7351
URL: https://issues.jboss.org/browse/WFLY-7351
Project: WildFly
Issue Type: Bug
Components: REST
Affects Versions: 10.1.0.Final
Environment: N/A
Reporter: Edvin Syse
Assignee: Stuart Douglas
Attachments: httpclient-sni-bug.zip
When creating a JAX-RS client using ClientBuilder.newClient() and accessing an SSL resource configured with SNI, the request fails.
When the request is made you get the default certificate for the ip as it is configured on the web server instead of the certificate corresponding to the host name you entered.
Attached is a simple Maven project with a rest endpoint that will make a request to https://www.syse.no/, which is a host configured with SNI. If you access this host with a client that is not SNI capable, you will get the default certificate instead of the one corresponding to www.syse.no. (That cert is actually expired, so that is the underlying cause reported by the http client in this case. In other cases you will most probably just get a name mismatch type of error).
This effectively prevents the Http client from being used reliably against a rapidly growing number of SSL enabled sites, as SNI is the new standard "everywhere" SSL is configured these days.
The underlying Apache HttpClient version does indeed support SNI. I have tested the version of Apache HttpClient that is bundled with Wildfly 10.1 and it works correctly.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list