What are the security consequences of setting "jsse.enableSNIExtension" to false?
Asked Answered
P

1

6

I currently have an application that would make HTTP post request to a lot of URLs. Some of the connections are failing with the following exception.

Exception in thread "main" javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2004) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at com.amazon.cba.iopn.test.MainTest.connectWithFallbackIfRequired(MainTest.java:246) at com.amazon.cba.iopn.test.MainTest.createHttpConnection(MainTest.java:201) at com.amazon.cba.iopn.test.MainTest.processLine(MainTest.java:105) at com.amazon.cba.iopn.test.MainTest.main(MainTest.java:99)

I figure out after reading other articles from net that this is an issue with the server configuration. The server in reply throws a warning which Java treats as Exception. The workaround is to set jsse.enableSNIExtension to "false".

  • What are the security risk the client exposes, if it sets the jsse.enableSNIExtension system property to false?

PS: All URLs that we are trying to connect over HTTPS. So, there will be certificate verification.

Periodicity answered 18/8, 2015 at 8:17 Comment(1)
Setting 'jsse.enableSNIExtension' to false disables SNI support for your entire application. If you connect to a single domain or a fixed set of domains, none of which support SNI, this shouldn't be an issue. However, if some of your domains use SNI, your app will not be able to connect. A workaround that attempts to thwart the misconfigured SNI check is detailed in https://mcmap.net/q/116875/-ssl-handshake-alert-unrecognized_name-error-since-upgrade-to-java-1-7-0Pentobarbital
F
8

from oracle (http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html):

It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address

If you disable jsse.enableSNIExtension you won't be able to connect to pages under a virtual server

Fetterlock answered 31/3, 2016 at 9:11 Comment(2)
That is actually not completely accurate. You can have multiple virtual servers of which each one has a separate IP. You can also have single IP, but the same cefticate for all virtual hosts (with alternative names in the certificate or with wildcard certificate).Cowey
java se8 security/jsse/JSSERefGuide.html#SNIExtensionEure

© 2022 - 2024 — McMap. All rights reserved.