Java 将“jsse.enableSNIExtension”设置为 false 的安全后果是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/32067124/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What are the security consequences of setting "jsse.enableSNIExtension" to false?
提问by Salient Sage
I currently have an application that would make HTTP post request to a lot of URLs. Some of the connections are failing with the following exception.
我目前有一个应用程序可以向很多 URL 发出 HTTP 发布请求。某些连接失败,但出现以下异常。
Exception in thread "main" javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2004) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at com.amazon.cba.iopn.test.MainTest.connectWithFallbackIfRequired(MainTest.java:246) at com.amazon.cba.iopn.test.MainTest.createHttpConnection(MainTest.java:201) at com.amazon.cba.iopn.test.MainTest.processLine(MainTest.java:105) at com.amazon.cba.iopn.test.MainTest.main(MainTest.java:99)
线程“main”中的异常 javax.net.ssl.SSLProtocolException:握手警报:unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1410) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java: 2004) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java) :1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol。 https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) 在 sun.net.www.protocol.https.HttpsURLConnectionImpl。connect(HttpsURLConnectionImpl.java:153) at com.amazon.cba.iopn.test.MainTest.connectWithFallbackIfRequired(MainTest.java:246) at com.amazon.cba.iopn.test.MainTest.createHttpConnection(MainTest.java:201)在 com.amazon.cba.iopn.test.MainTest.processLine(MainTest.java:105) 在 com.amazon.cba.iopn.test.MainTest.main(MainTest.java:99)
I figure out after reading other articles from net that this is an issue with the server configuration. The server in reply throws a warning which Java treats as Exception. The workaround is to set jsse.enableSNIExtensionto "false".
我从网上阅读其他文章后发现这是服务器配置的问题。回复中的服务器抛出一个警告,Java 将其视为异常。解决方法是将jsse.enableSNIExtension设置为“ false”。
- What are the security risk the client exposes, if it sets the jsse.enableSNIExtensionsystem property to false?
- 如果客户端将jsse.enableSNIExtension系统属性设置为false,它会暴露哪些安全风险?
PS:All URLs that we are trying to connect over HTTPS. So, there will be certificate verification.
PS:我们尝试通过 HTTPS 连接的所有 URL。所以,会有证书验证。
回答by jpereira
from oracle (http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html):
来自甲骨文(http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html):
It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address
它支持与虚拟服务器的 TLS 连接,其中多个不同网络名称的服务器托管在一个底层网络地址上
If you disable jsse.enableSNIExtension you won't be able to connect to pages under a virtual server
如果您禁用 jsse.enableSNIExtension,您将无法连接到虚拟服务器下的页面
