Hi JB,
As you suggested, tried below two approaches nothing worked.
1. conf/jetty.xml
<!--
Enable this connector if you wish to use https with web
console
-->
<bean id="SecureConnector"
class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers"
class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<property name="keyStorePath"
value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password"
/>
<property name="sniRequired" value="false" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean>
2. bin/activemq script
Tried adding three properties as mentioned by documentation.
$ bin/activemq start -Djetty.sslContext.sniRequired=false
-Djetty.ssl.sniRequired=false -Djetty.ssl.sniHostCheck=false
Still did not work.
If you can point out which key to add or where to add, will be a big help.
Regards,
Chitranshu
-----Original Message-----
From: Jean-Baptiste Onofré <[email protected]>
Sent: 13 January 2025 12:38
To: [email protected]
Subject: [EXTERNAL] - Re: Question Regarding SNI configuration in jetty.xml for
AMQ Classic
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe. If you feel that the email is suspicious, please report it using
PhishAlarm.
Hi,
Server Name Indication (SNI) is a TLS extension that clients send to indicate
what domain they want to connect to during the initial TLS handshake.
Modern TLS clients (e.g. browsers) always send the SNI extension; however,
older TLS clients may not send the SNI extension.
AFAIR, sniRequired can be passed as system property (so via the bin/activemq
script). You can also provide it in the sslContextFactory configure section of
the jetty.xml (by adding it).
Regards
JB
On Mon, Jan 13, 2025 at 4:57 AM Chitranshu Changdar
<[email protected]> wrote:
>
> Hi,
>
> Need some help with AMQ Classic configurations for HTTPS connection using the
> ssl certificate.
> At first, I was facing with issue with jetty.xml configuration for ssl
> connection, but that was resolved with the help of AMQ-9405.
> For this to work with https we must generate brokers.ks with specific
> hostname and if we create a generic broker.ks with localhost or 0.0.0.0, then
> it returns "HTTP ERROR 400 Invalid SNI".
> Till 5.17.x or 5.18.x this was working with localhost value.
>
> From the other sources and Jetty documentation we could see this can be
> disabled with the help of "jetty.sslContext.sniRequired".
> So, my question is, is there any way to add this configuration in jetty.xml
> or somewhere else ?
>
> If anyone can provide any resolution, that would be a great help.
>
> AMQ Classic Version : 6.1.4
> Platform : RHEL-9.3
>
> Thanks
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected] For further
information, visit:
https://urldefense.com/v3/__https://activemq.apache.org/contact__;!!Obbck6kTJA!au78m-AV-vi_eXaxTXlKLGBnLaEG9n8zr3TxogsxFaGyKiVqSkCjIPIyPt37bKglretZhjHzP6ELJg$
