无论什么原因，Java SNI实现显然不提供服务器端的实际主机名。相反，文档[1]（在基于SSLSocket的虚拟服务器调度程序下）建议手动解析初始SSL数据包并从那里提取服务器名称。

For whatever reason, the Java SNI implementation apparently does not provide the actual host name on the server side. Instead, the documentation [1] (under "Virtual Server Dispatcher Based on SSLSocket") recommends manually parsing the initial SSL packet and extracting the server name from there.

你可以还使用SNIMatcher [2]要求客户端提供某个名称;如果匹配器不匹配，则客户端在SSL层获取错误。

You could also use an SNIMatcher [2] to require that the client provides a certain name; if the matcher does not match, then the client gets an error at the SSL layer.

[1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/ jsse / JSSERefGuide.html＃SNIExamples
[2] http://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SNIMatcher.html

更新：我编写了一个自定义SNI解析器，它的工作原理如下：客户端将SNI作为SSL ClientHello消息的一部分发送，这是第一个作为设置的一部分发送的消息建立SSL连接。我的实现首先解析它，然后使用与请求的主机名匹配的正确服务器端证书设置SSLEngine。

Update: I've written a custom SNI parser and it works like this: the client sends the SNI as part of the SSL ClientHello message, which is the first message sent as part of setting up an SSL connection. My implementation first parses that, and then sets up an SSLEngine with the right server-side certificate matching the requested host name.