Thank you Matt and Robbie for the response. I did notice that Artemis does have settings for SNI, for some reason I have not been able to disable SNI for Classic using an of the documented options from Jetty.
I am running ActiveMQ Classic 6.1.7 which uses Jetty 11.0.25, I am wondering if there is a bug or some other issue that is preventing the disabling of SNI. I will read over the information again and verify my settings. Jason ________________________________ From: Robbie Gemmell <[email protected]> Sent: Wednesday, August 13, 2025 8:01 AM To: [email protected] <[email protected]> Subject: Re: ActiveMQ Classic Jetty SNI Settings/Options CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Jetty versions > 9 have SNI checking enabled by default, verifying that if an SNI value were specified that the host being asked for is a match for the details of the server certificate. As a result newer Jetty versions can refuse requests that older Jetty versions allow. The SNI checking behaviour in Jetty is configurable, so e.g. the ability to pass through such SNI config to the programatically-created embedded Jetty instance was added in Artemis a couple years ago, via: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-4245&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187005820%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=vHQiBZXklIZyvTDqftgvYwg5yK8e0%2FaSr%2FP91LrHMWQ%3D&reserved=0<https://issues.apache.org/jira/browse/ARTEMIS-4245> As https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-3968&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187031560%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=BKYZq0%2Baa1l8o%2BjnQ4kg6jdmt0HNcF4AyKGaVI5ETOU%3D&reserved=0<https://issues.apache.org/jira/browse/ARTEMIS-3968> (the original request for adding such config) covers, and as you suspected, the issue is also fixable by ensuring the server certificate matches what clients ask for...either by ensuring the clients use the correct host for the certificates current details, or by ensuring the certs SAN etc details can allow for whatever host clients are actually requesting. On Tue, 12 Aug 2025 at 20:32, Matt Pavlovich <[email protected]> wrote: > > ActiveMQ is not doing anything specific regarding SNI for Jetty. I suspect > certificate or environment issues. > > Matt Pavlovich > > > On Aug 12, 2025, at 2:01 PM, Jason Jackson > > <[email protected]> wrote: > > > > Has anyone had success with disabling or setting SNI in ActiveMQ Classic > > jetty.xml? > > > > I have tried everything I have seen posted on the Jetty web site and what I > > have found in other area and nothing seems to work. > > > > I am attempting to plae a load balancer in front of some ActiveMQ instance > > and it always fails with SNI errors. I have tried pass-thru as well as > > termminating at the LB and re-initializing a new cpmnection but no luck. > > > > Here is what I have set > > > > > > <property name="sniRequired" value="false" /> > > > > -Djetty.sslContext.sniRequired=false -Djetty.ssl.sniRequired=false > > -Djetty.ssl.sniHostCheck=false > > > > > > > > > > > > Jason > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > For further information, visit: > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187044022%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=VMhHNiSJWxQ%2FWscqyMCzgGuZgIANgWFETRYUwPbPFpA%3D&reserved=0<https://activemq.apache.org/contact> > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187055923%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=US0eWiWjyC5gsvMvVQrwX0%2Fx0F3oLmt1fmiSY%2Bw545Q%3D&reserved=0<https://activemq.apache.org/contact>
