Hello Greg,
Thanks for this, I have opened a feature request at https://github.com/eclipse/jetty.project/issues/3863.
That mode you describe would do fine for me.
Kind regards,
Silvio
On 09-07-19 08:18, Greg Wilkins wrote:
Silvio,
Open a feature request on github and we'll look at this.
It might be simply that we can add a mode that if no SNI
matches are found then we don't delegate to the normal key
manager..... At least that would work if you have all SNI
capable keys. If there is no SNI match and you want to
select from only those certs that don't have SNI, that will be
more difficult.
cheers
Hello Greg,
The keystore contains both wildcard certs and non-wildcard
certs, for a total of ~100 certs. If a request for a domain
matching a cert comes in the right cert is selected, totally
no issues there. But when there is no matching cert or no
SNI info is provided I think the first cert in the keystore
is served. That cert does not match the request and the
client will reject it, of course. But the details of the
cert are revealed that way which is what I want to prevent.
For example Qualys SSL-labs will display a cert that it
receives when trying a request without SNI, as in
https://www.ssllabs.com/ssltest/analyze.html?d=zakelijkpanel.kpn.com&hideResults=on
So if no matching cert or no SNI info is present I want to
400 or something.
Kind regards,
Silvio
On
08-07-19 19:32, Greg Wilkins wrote:
Silvio,
I'm sorry, but we are going to need more info that
that. Can you describe precisely the setup you have
with regards to what certs are in your keystore and
what sort of cert they are (eg wild cards etc.). Then
give us an example of exactly what you mean by random
cert?
Typically jetty tries to defer as much as possible
to the default implementations, so if we can't select
a cert by SNI, we are probably letting the JRE libs do
the selection... but perhaps we are doing something
wrong... so do tell us more.
cheers
Hello all,
I am using Jetty as my HTTPS front-end and have a
keystore containing
multiple certificates which are selected via Jetty SNI
support. But when
a request without proper SNI info arrives Jetty
presents a sort-of
random certificate. Is there a way to prevent this and
just have the
request fail instead?
Thanks in advance,
Silvio
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your
password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
--
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
--
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
|
