Configure Server Name Indication (SNI) Control With wolfjsse.autoSNI

    • wolfSSL’s Java JSSE provider version 1.16.0 now includes support for the wolfjsse.autoSNI System property. This new feature allows developers to control how the Server Name Indication (SNI) extension is configured during the TLS handshake.

    Download wolfSSL →

    Understanding wolfjsse.autoSNI Property

    Server Name Indication (SNI) allows a client to specify the hostname it is attempting to connect to at the start of the handshake. This is critical for servers hosting multiple domains on a single IP address.

    The wolfjsse.autoSNI property dictates how wolfJSSE handles the SNI extension:

    • Default (false): SNI is only set when explicitly configured via SSLParameters. This aligns with standard JSSE behavior and ensures the extension is only sent when intended.
    • Legacy Mode (true): When enabled, wolfJSSE automatically configures SNI based on the hostname or peer address, even if it has not been explicitly defined in SSLParameters. The hostname and peerAddr are both required to be non-null (HttpsURLConnection pattern) when attempting to auto-set the SNI.

    Benefits of the New Property

    The introduction of this property provides several key benefits:

    • Standard Alignment: Improves compatibility with standard JSSE test suites such as SunJSSE.
    • Granular Control: Developers can now choose between strict JSSE behavior or the legacy “auto-discovery” mode.
    • Compatibility: Maintains support for existing applications that rely on automatic SNI configuration, while securing new implementations by default.

    To ensure stability, this release includes updated test coverage in WolfSSLSocketTest, verifying that both manual and automatic SNI configurations function seamlessly across different environments.

    Troubleshooting Peer Verification

    Some users have reported an issue with peer verification in WolfSSLInternalVerifyCb where the wolfJSSE build validates a certificate chain different from the one expected. Setting wolfjsse.autoSNI to true will revert to the behavior of previous wolfJSSE versions and may solve the problem.

    If you have questions about configuring SNI or integrating wolfJSSE 1.16.0 into your Java application, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now