Hello Greg,
Thanks for this, I have opened a feature request at
https://github.com/eclipse/jetty.project/issues/3863. That mode you
describe would do fine for me.
Kind regards,
Silvio
On 09-07-19 08:18, Greg Wilkins wrote:
Silvio,
Open a feature request on github and we'll look at this. It might be
simply that we can add a mode that if no SNI matches are found then we
don't delegate to the normal key manager..... At least that would work
if you have all SNI capable keys. If there is no SNI match and you
want to select from only those certs that don't have SNI, that will be
more difficult.
cheers
On Mon, 8 Jul 2019 at 19:48, Silvio Bierman
<[email protected] <mailto:[email protected]>> wrote:
Hello Greg,
The keystore contains both wildcard certs and non-wildcard certs,
for a total of ~100 certs. If a request for a domain matching a
cert comes in the right cert is selected, totally no issues there.
But when there is no matching cert or no SNI info is provided I
think the first cert in the keystore is served. That cert does not
match the request and the client will reject it, of course. But
the details of the cert are revealed that way which is what I want
to prevent. For example Qualys SSL-labs will display a cert that
it receives when trying a request without SNI, as in
https://www.ssllabs.com/ssltest/analyze.html?d=zakelijkpanel.kpn.com&hideResults=on
So if no matching cert or no SNI info is present I want to 400 or
something.
Kind regards,
Silvio
On 08-07-19 19:32, Greg Wilkins wrote:
Silvio,
I'm sorry, but we are going to need more info that that. Can you
describe precisely the setup you have with regards to what certs
are in your keystore and what sort of cert they are (eg wild
cards etc.). Then give us an example of exactly what you mean by
random cert?
Typically jetty tries to defer as much as possible to the default
implementations, so if we can't select a cert by SNI, we are
probably letting the JRE libs do the selection... but perhaps we
are doing something wrong... so do tell us more.
cheers
On Mon, 8 Jul 2019 at 18:56, Silvio Bierman
<[email protected]
<mailto:[email protected]>> wrote:
Hello all,
I am using Jetty as my HTTPS front-end and have a keystore
containing
multiple certificates which are selected via Jetty SNI
support. But when
a request without proper SNI info arrives Jetty presents a
sort-of
random certificate. Is there a way to prevent this and just
have the
request fail instead?
Thanks in advance,
Silvio
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
--
Greg Wilkins <[email protected] <mailto:[email protected]>> CTO
http://webtide.com
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
--
Greg Wilkins <[email protected] <mailto:[email protected]>> CTO
http://webtide.com
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
