I'll take a look at AHC and make it use SSLContext.createSSLEngine(host,
port).
Can I ask you to file a bug for it?
Thank you.
WBR,
Alexey.
On 23.01.15 13:05, Daniel Feist wrote:
> Hi,
>
> AHC uses the SSLFilter and doesn't use
> SSLContext.createSSLEngine(host, port) anywhere and so obviously
> doesn't work. If SSLFilter is switched out for SNIFilter than things
> work. But i beleive there are three potential options and I'm not
> sure which is best
>
> 1) Switch out us the implementation SwitchingSSLFilter extends from
> SSLFilter to SNIFilter.
> 2) Use SSLContext.createSSLEngine(host, port) in AHC
> 3) Simply create socket with String host name and not InetAddress.
>
> I just added support for use of HttpClient31 via doing 3) and it
> works, java7+ handles the rest.
>
> Fix: https://github.com/mulesoft/mule/commit/416f594ae8d99eb1f8304f0bb549f372825e241c
>
> Context regarding this approach for enabling SNI:
> https://issues.apache.org/jira/browse/HTTPCLIENT-1119?focusedCommentId=13769887&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13769887
>
> Dan
>
> On Fri, Jan 23, 2015 at 8:49 PM, Oleksiy Stashok
> <oleksiy.stashok_at_oracle.com> wrote:
>> Exactly, it's enough to create SSLEngine using
>> SSLContext.createSSLEngine(host, port) and pass the host name.
>> I don't remember what we do in ahc, so will appreciate if you can
>> doublecheck that.
>>
>> Thank you.
>>
>> WBR,
>> Alexey.
>>
>>
>> On 23.01.15 12:21, Daniel Feist wrote:
>>> Simply replace SSLFilter with SNIFilter in the provider implementation.
>>>
>>> But TBH looking at SNI more closely I dont think this approach with
>>> SNIFilter is even required for outbound http. Ensuring the socket is
>>> created with the hostname and not ip is enough. So hold off for a
>>> while and I'll come back to you..
>>>
>>> Dan
>>>
>>> On Fri, Jan 23, 2015 at 7:42 PM, Oleksiy Stashok
>>> <oleksiy.stashok_at_oracle.com> wrote:
>>>> Pls. share the "hack" - I can commit it to ahc.
>>>>
>>>> WBR,
>>>> Alexey.
>>>>
>>>>
>>>> On 23.01.15 04:35, Daniel Feist wrote:
>>>>> Fanstastic, works a treat. Just had to hack AHC a bit to use it :-(
>>>>>
>>>>> Dan
>>>>>
>>>>> On Fri, Jan 23, 2015 at 1:14 AM, Oleksiy Stashok
>>>>> <oleksiy.stashok_at_oracle.com> wrote:
>>>>>> Hi Dan,
>>>>>>
>>>>>> yes, SNIFilter is compatible with SSLFilter, it just extends it with
>>>>>> SNI
>>>>>> support.
>>>>>>
>>>>>> WBR,
>>>>>> Alexey.
>>>>>>
>>>>>>
>>>>>> On 22.01.15 16:44, Daniel Feist wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Just a very quick question. Is the use of SNIFilter instead of
>>>>>>> SSLFilter fully compatible with the SSLFilter.
>>>>>>>
>>>>>>> i.e Can i always use the SNIFilter for SSL and have SNI supported, but
>>>>>>> also not have to worry if SNI isn't supported/required by the target
>>>>>>> server? It looks like it is, but this isn't clear from javadoc, so
>>>>>>> wanted to check.
>>>>>>>
>>>>>>> thanks!
>>>>>>> Dan
>>>>>>