Fyodor,
Assuming all testers have the same or a small number of <name> for their
localhost, you can create one keystore for testing and have it packaged with
the tests.
--
Alex
Alex Mattern | AVP | Infomediary Architect | Investor Services
BROWN BROTHERS HARRIMAN
50 Post Office Square, Boston, MA 02110
T 617-772-0096 | M 857-283-3724 | alex.matt...@bbh.com
www.bbh.com
-----Original Message-----
From: Fyodor Kravchenko <f...@vsetec.com>
Sent: Thursday, September 21, 2023 10:48 AM
To: users@camel.apache.org
Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI
Hi, thank you,
seems no-one will be able to test my app without the hassle of creating their
own keystore, right?
/fedd
On 21.09.2023 17:13, Mattern, Alex wrote:
> On converting from Camel 3.x to 4.x:
>
> 1. You should get the canonicalHostName
>
> public static String getHostName() {
> try {
> return
> InetAddress.getLocalHost().getCanonicalHostName();
> }
> }
>
> 2. You should update your keystore to accept the localhost. Change the CN to
> *.<name>.com. Change the SAN to www.<name>.com. If you have multiple <name>
> then you will make multiple entries in the keystore.
> --
> Alex
>
> -----Original Message-----
> From: Fyodor Kravchenko <f...@vsetec.com>
> Sent: Thursday, September 21, 2023 9:35 AM
> To: users@camel.apache.org
> Subject: [EXTERNAL SENDER:] Re: Jetty and the Invalid SNI
>
> Hello,
>
> I don't really want to use Jetty, but I'm currently migrating my project that
> uses Jetty from Camel 2 via 3 to 4. I'll be able to use something different
> when it starts working with Jetty so I'm able to fix every other
> functionality before switching to a different web server.
> Unfortunately I don't use Spring or Quarkus, but it has to be able to run
> standalone for the time being. I'm looking into Undertow because it offers
> the websockets like Jetty seemed to offer previously, but first I have to
> make Jetty work.
>
>
> On 21.09.2023 11:32, Claus Ibsen wrote:
>> Hi
>>
>> Do you really need to use Jetty? If you use Spring Boot or Quarkus
>> they come with HTTP server which you can configure for TLS/SSL more
>> easier than Jetty.
>>
>> On Mon, Sep 18, 2023 at 12:30 PM Fyodor Kravchenko <f...@vsetec.com> wrote:
>>
>>> Hello,
>>>
>>> I'm missing how do I set up the new Jetty in Camel 4 to let me
>>> access the localhost via SSL while developing or when needed for
>>> other purposes. I'm getting the "org.eclipse.jetty.http.BadMessageException:
>>> 400: Invalid SNI" error.
>>>
>>> I'm configuring the SSL as the following:
>>>
>>> JettyHttpComponent jetty = _camel.getComponent(JETTY,
>>> JettyHttpComponent.class);
>>>
>>> // ssl
>>> File keyStoreFile = new
>>> File(_properties.getProperty("keystoreFile", "sborex.jks"));
>>> if (keyStoreFile.exists()) {
>>> String keystorePassword =
>>> _properties.getProperty("keystorePassword", "defaultPassword");
>>> SSLContextParameters scp = new SSLContextParameters();
>>> KeyStoreParameters ksp = new KeyStoreParameters();
>>> try (var stream =
>>> Files.newInputStream(Path.of(keyStoreFile.getPath()))) {
>>> KeyStore ks =
>>> KeyStore.getInstance(_properties.getProperty("keystoreType", "jks"));
>>> ks.load(stream, keystorePassword.toCharArray());
>>> ksp.setKeyStore(ks);
>>> }catch(Exception e){
>>> throw new RuntimeException(e);
>>> }
>>>
>>> KeyManagersParameters kmp = new KeyManagersParameters();
>>> kmp.setKeyStore(ksp);
>>> kmp.setKeyPassword(_properties.getProperty("keyPassword"));
>>> scp.setKeyManagers(kmp);
>>> SecureRequestCustomizer src = new
>>> SecureRequestCustomizer(false);
>>> src.setSniRequired(false); // found this in StackOverflow.
>>> Now what?
>>> jetty.setSslContextParameters(scp);
>>> }
>>>
>>> I've read somewhere that we have to switch off the SNI check for
>>> Jetty through some Secure Request Customizer, but I fail to
>>> understand how do I pass it to the Jetty server; or maybe there is a
>>> more generic API for doing that through the JSSE?
>>> https://urldefense.com/v3/__https://camel.apache.org/manual/camel-co
>>> n
>>> figuration-utilities.html__;!!KV6Wb-o!8aLqf3hE4j6xQVtSFey5YFtItZV8pS
>>> s 8fAZDFZjgMR_60aD7A2h9ftXT4jWpd9OLqb3ksg-nAbTL$
>>>
>>>
>>> Thanks!
>>>
>>>
> *************************** IMPORTANT
> NOTE***************************** The opinions expressed in this message
> and/or any attachments are those of the author and not necessarily those of
> Brown Brothers Harriman & Co., its subsidiaries and affiliates ("BBH"). There
> is no guarantee that this message is either private or confidential, and it
> may have been altered by unauthorized sources without your or our knowledge.
> Nothing in the message is capable or intended to create any legally binding
> obligations on either party and it is not intended to provide legal advice.
> BBH accepts no responsibility for loss or damage from its use, including
> damage from virus.
> ******************************************************************************
