我正在尝试客户端 SNI 实现,我看到我可以将多个主机名(生成相同的证书)传递给 SSLParameters ,下面的代码片段。
SSLSocketFactory factory =(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket =(SSLSocket)factory.createSocket("www.verisign.com", 443);
SNIHostName serverName1 = new SNIHostName("www.verisign.co.in");
SNIHostName serverName2 = new SNIHostName("www.verisign.co.uk");
List<SNIServerName> serverNames = new ArrayList<>();
serverNames.add(serverName1);
serverNames.add(serverName2);
SSLParameters params = socket.getSSLParameters();
params.setServerNames(serverNames);
socket.setSSLParameters(params);
java.lang.IllegalArgumentException: Duplicated server name of type 0
at java.base/javax.net.ssl.SSLParameters.setServerNames(SSLParameters.java:343)
at SSLSocketClient.main(SSLSocketClient.java:69)
[type=host_name (0), value=www.verisign.co.in, type=host_name (0), value=www.verisign.co.uk]
如果它不允许多个主机名,那么为什么要提供传递服务器名称列表的规定。
最佳答案
似乎该标准曾经支持多个主机名,但该支持已被放弃。
根据 SNI 的 RFC (https://datatracker.ietf.org/doc/html/rfc6066)
The ServerNameList MUST NOT contain more than one name of the same name_type.
...
Note: Earlier versions of this specification permitted multiple names of the same name_type. In practice, current client implementations only send one name, and the client cannot necessarily find out which name the server selected. Multiple names of the same name_type are therefore now prohibited.
人们可能会尝试添加具有不同 name_types 的其他名称。但是,似乎唯一定义过的 name_type 是“host_name”,即 0。
关于java.lang.IllegalArgumentException : Duplicated server name of type 0,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65827393/