Gemalto is now part of the Thales Group, find out more.

You are here

Java HTTPS with SNI (BouncyCastle)

Showcase, December 20, 2018 - 11:42am, 502 views

Introduction

The purpose of this showcase is to demonstrate the possibility of implementing Server Name Indication extension with BoucyCastle.

 

Background

It is now common that multiple HTTPS websites or other secure service may be served by the same IP address. And additionally all these services may use different certificates. 

The certificate is presented by the server during TLS handshake which takes place before any HTTP request is sent (which also includes the domain name). With SNI extension the desired domain name is included in the Client Hello message which is a part of TLS handshake. This allows a server to present the proper certificate for the domain the client wants to connect to. And this is especially important when the client wants to validate the server certificate.

Some servers (like one used in demo project) may even require that the client uses SNI extension and reject connections if there's no SNI in Client Hello message.

Please see here for more details about SNI: https://en.wikipedia.org/wiki/Server_Name_Indication

and TLS handshake: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

 

Project description

As SNI extension is not the part of standard TLS implementation on Gemalto modules I have created this demo to show how it could be implemented with additional BoucyCastle libraries in case it is required.

For this demo I have used the BoucyCastle form this demo project:

https://developer.gemalto.com/showcase/java-explicit-ftps-implementation...

It is required to import the latest version of 'FtpsExample' Eclipse project to the same workspace.

In this project neither SecureConnection nor HttpsConnection from the standard API is used. There is bare SocketConnection instead and the whole TLS layer is served by additional BoucyCastle library.

As HTTP implementation provided by the standard API cannot be used in that configuration, the project includes a simple class that contains the minimal implementation to send GET request to an HTTP server and read the reply. It was just prepared for this demo.

The MIDlet connects to 2 HTTPS servers twice (without and with SNI). First server allows only connections with SNI and that is why the MIDlet throws an exception:

org.bouncycastle.crypto.tls.TlsFatalAlertReceived: internal_error(80)

It seems to directly reflect the response from the server which replied with 'Alert' message containing the description 'Internal Error (80)'.

With SNI extension the connection is successful. 

The complete application log is also included. HTML content is not printed in the log - it is commented out in the source file.

 

Eclipse project

 

Download File SniExample.zip (zip | 645.76 KB)
Bartłomiej Gemalto Moderator