SocketChannelImpl doesn't set SNIHostName

[yschimke]

Related to https://github.com/square/okhttp/pull/6554 but not likely the cause, the SNI hostname extension isn't set with socket channels. This was previously assumed to be in place from JDK7+.

Unable to indicate server name
Ignore, context unavailable extension: server_name
Ignore inactive or disabled named group: ffdhe2048
Ignore inactive or disabled named group: ffdhe3072
Ignore inactive or disabled named group: ffdhe4096
Ignore inactive or disabled named group: ffdhe6144
Ignore inactive or disabled named group: ffdhe8192
Signature algorithm, ed25519, is not supported by the underlying providers
Signature algorithm, ed448, is not supported by the underlying providers
Produced ClientHello handshake message
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "F5 D2 42 97 87 4B C8 0E 5B C4 C8 05 9F BD E2 A3 8A DB 99 44 C7 3C 24 42 8A 74 98 B9 0C F0 8F 4D",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}

[yschimke]

Fix will be

    if (hostname != null) {
      sslParameters.serverNames = listOf(SNIHostName(hostname))
    }

[yschimke]

The first problem with SNIHostName turns out to be that you can't use SNI with localhost! So I've switched to a fake "local.host"

https://tools.ietf.org/html/rfc6066#page-6 specifies a FQDN is required.

Not sure if we should force it?

[yschimke]

Enforced in JSSE code like

http://hg.openjdk.java.net/jdk8u/jdk8u60/jdk/file/48e79820c798/src/share/classes/sun/security/ssl/Utilities.java

[yschimke]

Should be localhost.localdomain

https://superuser.com/q/703221/133761