Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Invalid SNI question (null sniHost)

Also the real issue I stated on the post is that it alternates between working, and invalid SNI exception.
When the exception happens, the sniHost is null. If the versions were a problem, how would that happen?

On Mon, Jun 24, 2024 at 3:53 PM RBK <discussman@xxxxxxxxx> wrote:
Thank you.

As detailed in my stackoverflow post, we did collect wireshark logs (on the server side) and saw the SNI coming in from the client.
I just checked and the Java version being used on the server side by our customer is Oracle Java 11 (+28).

I believe Oracle Java 11 started supporting TLSv1.3. I am not sure if it does not support 1.2.
 

On Mon, Jun 24, 2024 at 2:43 PM Joakim Erdfelt <joakim.erdfelt@xxxxxxxxx> wrote:
There are 2 common reasons.

1. The HTTP User Agent (browser, http-client) didn't send the SNI information in its TLS layer.
2. The Server side TLS layer (coming from Java or 3rd party libs) you are using doesn't support SNI.

For number 1, there's nothing you can do, but reject those ancient clients.
Usually just restricting the TLS level to 1.3 and maybe 1.2 is enough to filter out those ancient clients.

For number 2, there are many 3rd party libraries that provide TLS/SSL/Crypto that do not support SNI.
The most commonly reported one to us is Conscrypt. (there is no support for this in conscrypt as of yet)
But there are other libraries that provide FIPS that get reported on a regular basis. (usually upgrading your FIPS library to the latest generation is enough)
If you use the built-in SSL/TLS in OpenJDK, you will have functional SNI support.
If you use other JVMs (like the ones from IBM) then you have to find the solution with those JVMs.

- Joakim

On Mon, Jun 24, 2024 at 11:54 AM RBK via jetty-users <jetty-users@xxxxxxxxxxx> wrote:
Hello,

I posted this question on StackOverflow regarding the Jetty exception "Invalid SNI" that we see with a customer of our product, and I wanted to post it here for further insight, and if anyone else came across the same scenario.


We were able to enable Jetty logging and found that sniHost is null in the following piece of code within the Jetty source code, causing the exception.

String sniHost = (String)session.getValue(SslContextFactory.Server.SNI_HOST)
What might be a situation that causes the sniHost to be null and what can be done about it? Is there a way to troubleshoot this further? I am thinking that it might be something specific to the machine, but I don't know where to look.

Thanks for any insights anyone can provide.


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top