Fyodor, Assuming all testers have the same or a small number of <name> for their localhost, you can create one keystore for testing and have it packaged with the tests. -- Alex
Alex Mattern | AVP | Infomediary Architect | Investor Services BROWN BROTHERS HARRIMAN 50 Post Office Square, Boston, MA 02110 T 617-772-0096 | M 857-283-3724 | alex.matt...@bbh.com www.bbh.com -----Original Message----- From: Fyodor Kravchenko <f...@vsetec.com> Sent: Thursday, September 21, 2023 10:48 AM To: users@camel.apache.org Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI Hi, thank you, seems no-one will be able to test my app without the hassle of creating their own keystore, right? /fedd On 21.09.2023 17:13, Mattern, Alex wrote: > On converting from Camel 3.x to 4.x: > > 1. You should get the canonicalHostName > > public static String getHostName() { > try { > return > InetAddress.getLocalHost().getCanonicalHostName(); > } > } > > 2. You should update your keystore to accept the localhost. Change the CN to > *.<name>.com. Change the SAN to www.<name>.com. If you have multiple <name> > then you will make multiple entries in the keystore. > -- > Alex > > -----Original Message----- > From: Fyodor Kravchenko <f...@vsetec.com> > Sent: Thursday, September 21, 2023 9:35 AM > To: users@camel.apache.org > Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI > > Hello, > > I don't really want to use Jetty, but I'm currently migrating my project that > uses Jetty from Camel 2 via 3 to 4. I'll be able to use something different > when it starts working with Jetty so I'm able to fix every other > functionality before switching to a different web server. > Unfortunately I don't use Spring or Quarkus, but it has to be able to run > standalone for the time being. I'm looking into Undertow because it offers > the websockets like Jetty seemed to offer previously, but first I have to > make Jetty work. > > > On 21.09.2023 11:32, Claus Ibsen wrote: >> Hi >> >> Do you really need to use Jetty? If you use Spring Boot or Quarkus >> they come with HTTP server which you can configure for TLS/SSL more >> easier than Jetty. >> >> On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko <f...@vsetec.com> wrote: >> >>> Hello, >>> >>> I'm missing how do I set up the new Jetty in Camel 4 to let me >>> access the localhost via SSL while developing or when needed for >>> other purposes. I'm getting the "org.eclipse.jetty.http.BadMessageException: >>> 400: Invalid SNI" error. >>> >>> I'm configuring the SSL as the following: >>> >>> JettyHttpComponent jetty = _camel.getComponent(JETTY, >>> JettyHttpComponent.class); >>> >>> // ssl >>> File keyStoreFile = new >>> File(_properties.getProperty("keystoreFile", "sborex.jks")); >>> if (keyStoreFile.exists()) { >>> String keystorePassword = >>> _properties.getProperty("keystorePassword", "defaultPassword"); >>> SSLContextParameters scp = new SSLContextParameters(); >>> KeyStoreParameters ksp = new KeyStoreParameters(); >>> try (var stream = >>> Files.newInputStream(Path.of(keyStoreFile.getPath()))) { >>> KeyStore ks = >>> KeyStore.getInstance(_properties.getProperty("keystoreType", "jks")); >>> ks.load(stream, keystorePassword.toCharArray()); >>> ksp.setKeyStore(ks); >>> }catch(Exception e){ >>> throw new RuntimeException(e); >>> } >>> >>> KeyManagersParameters kmp = new KeyManagersParameters(); >>> kmp.setKeyStore(ksp); >>> kmp.setKeyPassword(_properties.getProperty("keyPassword")); >>> scp.setKeyManagers(kmp); >>> SecureRequestCustomizer src = new >>> SecureRequestCustomizer(false); >>> src.setSniRequired(false); // found this in StackOverflow. >>> Now what? >>> jetty.setSslContextParameters(scp); >>> } >>> >>> I've read somewhere that we have to switch off the SNI check for >>> Jetty through some Secure Request Customizer, but I fail to >>> understand how do I pass it to the Jetty server; or maybe there is a >>> more generic API for doing that through the JSSE? >>> https://urldefense.com/v3/__https://camel.apache.org/manual/camel-co >>> n >>> figuration-utilities.html__;!!KV6Wb-o!8aLqf3hE4j6xQVtSFey5YFtItZV8pS >>> s 8fAZDFZjgMR_60aD7A2h9ftXT4jWpd9OLqb3ksg-nAbTL$ >>> >>> >>> Thanks! >>> >>> > *************************** IMPORTANT > NOTE***************************** The opinions expressed in this message > and/or any attachments are those of the author and not necessarily those of > Brown Brothers Harriman & Co., its subsidiaries and affiliates ("BBH"). There > is no guarantee that this message is either private or confidential, and it > may have been altered by unauthorized sources without your or our knowledge. > Nothing in the message is capable or intended to create any legally binding > obligations on either party and it is not intended to provide legal advice. > BBH accepts no responsibility for loss or damage from its use, including > damage from virus. > ******************************************************************************