Jason-
Where did you try setting the sniRequired in the properties in the jetty.xml?
The conf/jetty.xml is in Spring format, so the syntax is slightly different
from the jetty.xm bean wiring, but you can get the same results.
The SslContextFactory$Server bean appears to be the one to set the values:
<bean id="SecureConnector"
class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers"
class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<property name="keyStorePath"
value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password"
/>
<property name=“sniRequired" value=“false" />
<property name=“sniHostCheck" value=“false" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean>
Matt Pavlovich
> On Aug 13, 2025, at 7:47 AM, Jason Jackson
> <[email protected]> wrote:
>
> Thank you Matt and Robbie for the response.
>
> I did notice that Artemis does have settings for SNI, for some reason I have
> not been able to disable SNI for Classic using an of the documented options
> from Jetty.
>
> I am running ActiveMQ Classic 6.1.7 which uses Jetty 11.0.25, I am wondering
> if there is a bug or some other issue that is preventing the disabling of SNI.
>
> I will read over the information again and verify my settings.
>
>
> Jason
>
> ________________________________
> From: Robbie Gemmell <[email protected]>
> Sent: Wednesday, August 13, 2025 8:01 AM
> To: [email protected] <[email protected]>
> Subject: Re: ActiveMQ Classic Jetty SNI Settings/Options
>
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
> Jetty versions > 9 have SNI checking enabled by default, verifying
> that if an SNI value were specified that the host being asked for is a
> match for the details of the server certificate. As a result newer
> Jetty versions can refuse requests that older Jetty versions allow.
>
> The SNI checking behaviour in Jetty is configurable, so e.g. the
> ability to pass through such SNI config to the programatically-created
> embedded Jetty instance was added in Artemis a couple years ago, via:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-4245&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187005820%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=vHQiBZXklIZyvTDqftgvYwg5yK8e0%2FaSr%2FP91LrHMWQ%3D&reserved=0<https://issues.apache.org/jira/browse/ARTEMIS-4245>
>
> As
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-3968&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187031560%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=BKYZq0%2Baa1l8o%2BjnQ4kg6jdmt0HNcF4AyKGaVI5ETOU%3D&reserved=0<https://issues.apache.org/jira/browse/ARTEMIS-3968>
> (the original
> request for adding such config) covers, and as you suspected, the
> issue is also fixable by ensuring the server certificate matches what
> clients ask for...either by ensuring the clients use the correct host
> for the certificates current details, or by ensuring the certs SAN etc
> details can allow for whatever host clients are actually requesting.
>
> On Tue, 12 Aug 2025 at 20:32, Matt Pavlovich <[email protected]> wrote:
>>
>> ActiveMQ is not doing anything specific regarding SNI for Jetty. I suspect
>> certificate or environment issues.
>>
>> Matt Pavlovich
>>
>>> On Aug 12, 2025, at 2:01 PM, Jason Jackson
>>> <[email protected]> wrote:
>>>
>>> Has anyone had success with disabling or setting SNI in ActiveMQ Classic
>>> jetty.xml?
>>>
>>> I have tried everything I have seen posted on the Jetty web site and what I
>>> have found in other area and nothing seems to work.
>>>
>>> I am attempting to plae a load balancer in front of some ActiveMQ instance
>>> and it always fails with SNI errors. I have tried pass-thru as well as
>>> termminating at the LB and re-initializing a new cpmnection but no luck.
>>>
>>> Here is what I have set
>>>
>>>
>>> <property name="sniRequired" value="false" />
>>>
>>> -Djetty.sslContext.sniRequired=false -Djetty.ssl.sniRequired=false
>>> -Djetty.ssl.sniHostCheck=false
>>>
>>>
>>>
>>>
>>>
>>> Jason
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>> For further information, visit:
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187044022%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=VMhHNiSJWxQ%2FWscqyMCzgGuZgIANgWFETRYUwPbPFpA%3D&reserved=0<https://activemq.apache.org/contact>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> For further information, visit:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7Ca2a35ac0d98d472f515708ddda61aaba%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906835187055923%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=US0eWiWjyC5gsvMvVQrwX0%2Fx0F3oLmt1fmiSY%2Bw545Q%3D&reserved=0<https://activemq.apache.org/contact>
>
>
