Modify

Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#12152 closed enhancement (fixed)

Provide hostname with SNI when using https

Reported by: francois.lacombe Owned by: Don-vip
Priority: normal Milestone: 15.12
Component: Core Version:
Keywords: https, sni, api Cc:

Description

Hi,

JOSM is providing a very useful ability to connect to https API services.
I'm currently using a custom instance with a host requiring SNI when connecting with HTTPS.
https://fr.wikipedia.org/wiki/Server_Name_Indication

Since JOSM isn't sending this piece of information, the server is rejecting the connection with a 403 return code.
Is it possible to add this to the https stack please?

Attachments (0)

Change History (10)

comment:1 by Don-vip, 9 years ago

Sni support had been disabled before because of poor java support. We can see if the situation is better now with Java 8. Can you please share your URL with us? By email if needed..

comment:2 by simon04, 9 years ago

Keywords: java8 added

comment:3 by Don-vip, 9 years ago

OK I got from François enough information to test.

The connection with his https/SNI server API is refused by Apache with HTTP 403 + error body as follows:

Forbidden

You dont have permission to access XXX/api/capabilities on this server.
Reason: The client software did not provide a hostname using Server Name Indication (SNI), which is required to access this server.


Apache/2.4.10 (Debian) Server at XXX Port 443

comment:4 by stoecker, 9 years ago

It's relatively easy to setup a test instance redirecting to OSM api when needed.

What's the issue with poor SNI support in Java? It's either there or not working, but why must it be disabled?

comment:5 by Don-vip, 9 years ago

Keywords: java8 removed
Milestone: 15.12
Owner: changed from team to Don-vip
Status: newassigned

So here's the situation.

We received bug report #9875 in which a user receives with Java 7:

javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

when accessing https://raw.githubusercontent.com/bastik/mapcss-tools/osm/mapnik2mapcss/osm-results/mapnik.zip

Java effectively supports SNI on client side since version 7, but fails when it receives a warning from a misconfigured Apache server.

So I disabled SNI in r6946 + r6950, but you can enable SNI by yourself with this advanced JOSM property: jdk.tls.disableSNIExtension=false.

There is a low-level workaround here.

I tried to access François' server with Oracle JDK7u80 and JDK8u66 and it works fine.

It works fine also with JOSM server, OSM API and Github.

It must have been a poor Github configuration that has been solved since, so I'm re-enabling SNI by default.

comment:6 by Don-vip, 9 years ago

Resolution: fixed
Status: assignedclosed

In 9218/josm:

fix #12152 - re-enable SNI by default

comment:7 by stoecker, 9 years ago

Reading #9875 I could say "I said it" :-)

Actually the fact that Java ignores nearly all good practices of network connections and protocols is really disturbing.

If #9875 get's an issue again the solution would be to try SNI first and open connection IP based as a second try.

I think the "unknown name" comes for fallback addresses. And that's not really a misconfiguration in my eyes. Java raises(raised?) an warning to error level which is simply wrong behaviour, as the CA check should be ultimate and not such a warning.

comment:8 by francois.lacombe, 9 years ago

Thank you guys :)

comment:9 by Don-vip, 7 years ago

FYI, Oracle has fixed a bug related to SNI in 8u141: javabug:8144566

comment:10 by francois.lacombe, 7 years ago

Nice to see it

Moving from my own self-signed CA to Let's encrypt solved many issues I may had before.
Anyway, It's good news to see Java fixing such bugs

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Don-vip.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.