Hi,
AHC uses the SSLFilter and doesn't use
SSLContext.createSSLEngine(host, port) anywhere and so obviously
doesn't work. If SSLFilter is switched out for SNIFilter than things
work. But i beleive there are three potential options and I'm not
sure which is best
1) Switch out us the implementation SwitchingSSLFilter extends from
SSLFilter to SNIFilter.
2) Use SSLContext.createSSLEngine(host, port) in AHC
3) Simply create socket with String host name and not InetAddress.
I just added support for use of HttpClient31 via doing 3) and it
works, java7+ handles the rest.
Fix:
https://github.com/mulesoft/mule/commit/416f594ae8d99eb1f8304f0bb549f372825e241c
Context regarding this approach for enabling SNI:
https://issues.apache.org/jira/browse/HTTPCLIENT-1119?focusedCommentId=13769887&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13769887
Dan
On Fri, Jan 23, 2015 at 8:49 PM, Oleksiy Stashok
<oleksiy.stashok_at_oracle.com> wrote:
> Exactly, it's enough to create SSLEngine using
> SSLContext.createSSLEngine(host, port) and pass the host name.
> I don't remember what we do in ahc, so will appreciate if you can
> doublecheck that.
>
> Thank you.
>
> WBR,
> Alexey.
>
>
> On 23.01.15 12:21, Daniel Feist wrote:
>>
>> Simply replace SSLFilter with SNIFilter in the provider implementation.
>>
>> But TBH looking at SNI more closely I dont think this approach with
>> SNIFilter is even required for outbound http. Ensuring the socket is
>> created with the hostname and not ip is enough. So hold off for a
>> while and I'll come back to you..
>>
>> Dan
>>
>> On Fri, Jan 23, 2015 at 7:42 PM, Oleksiy Stashok
>> <oleksiy.stashok_at_oracle.com> wrote:
>>>
>>> Pls. share the "hack" - I can commit it to ahc.
>>>
>>> WBR,
>>> Alexey.
>>>
>>>
>>> On 23.01.15 04:35, Daniel Feist wrote:
>>>>
>>>> Fanstastic, works a treat. Just had to hack AHC a bit to use it :-(
>>>>
>>>> Dan
>>>>
>>>> On Fri, Jan 23, 2015 at 1:14 AM, Oleksiy Stashok
>>>> <oleksiy.stashok_at_oracle.com> wrote:
>>>>>
>>>>> Hi Dan,
>>>>>
>>>>> yes, SNIFilter is compatible with SSLFilter, it just extends it with
>>>>> SNI
>>>>> support.
>>>>>
>>>>> WBR,
>>>>> Alexey.
>>>>>
>>>>>
>>>>> On 22.01.15 16:44, Daniel Feist wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Just a very quick question. Is the use of SNIFilter instead of
>>>>>> SSLFilter fully compatible with the SSLFilter.
>>>>>>
>>>>>> i.e Can i always use the SNIFilter for SSL and have SNI supported, but
>>>>>> also not have to worry if SNI isn't supported/required by the target
>>>>>> server? It looks like it is, but this isn't clear from javadoc, so
>>>>>> wanted to check.
>>>>>>
>>>>>> thanks!
>>>>>> Dan
>>>>>
>>>>>
>