Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » How to disable Jetty Host SNI validation check for HTTPS Connection
How to disable Jetty Host SNI validation check for HTTPS Connection [message #1845123] Thu, 07 October 2021 21:27 Go to next message
Rob A. is currently offline Rob A.Friend
Messages: 4
Registered: October 2010
Junior Member
I recently upgrade from RAP 3.16 which is using Jetty 9 to RAP 3.18 and I can no longer access my RAP application via https because we are using a self-signed certificate and am receiving Error #400 Invalid SNI

I found the following option in Jetty documentation but I cannot figure out a way to set this from my RAP application: jetty.ssl.sniRequired=false

The only thing that worked was setting setSniHostCheck(false) from SecureRequestCustomizer but that would require modifying the code in org.eclipse.equinox.http.jetty.internal.HttpServerManager.

Is there a way to disable SNI Host Check, e.g. from RAP config.ini or Java SystemProperty without having to modify the code in org.eclipse.equinox.http.jetty plugin?

Thanks,

Rob
Re: How to disable Jetty Host SNI validation check for HTTPS Connection [message #1845311 is a reply to message #1845123] Fri, 08 October 2021 19:17 Go to previous messageGo to next message
Dmitry Dukhov is currently offline Dmitry DukhovFriend
Messages: 192
Registered: February 2013
Senior Member
may this help you

            Global.jettyServer = new Server();
            HttpConfiguration https_config = new HttpConfiguration();
            SecureRequestCustomizer src = new SecureRequestCustomizer();
            src.setSniHostCheck(false);
            https_config.addCustomizer(src);
            HttpConnectionFactory http11 = new HttpConnectionFactory(https_config);

            SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
            sslContextFactory.setKeyStorePath(keyStorePath);
            sslContextFactory.setKeyStorePassword(keyPasswordStore);
            sslContextFactory.setSniRequired(false);
            sslContextFactory.setRenegotiationAllowed(false);
            

            SslConnectionFactory https = new SslConnectionFactory(sslContextFactory, http11.getProtocol());

            ServerConnector sslConnector = new ServerConnector(Global.jettyServer, https, http11);
            sslConnector.setPort(Global.appConfig.getPort());
            Global.jettyServer.addConnector(sslConnector);

            Global.jettyServer.setHandler(initWebApp());
            Global.jettyServer.start();
            Global.jettyServer.join();


Properties props = System.getProperties();
props.setProperty("jdk.internal.httpclient.disableHostnameVerification", Boolean.TRUE.toString());
Re: How to disable Jetty Host SNI validation check for HTTPS Connection [message #1847026 is a reply to message #1845311] Tue, 12 October 2021 13:51 Go to previous messageGo to next message
Rob A. is currently offline Rob A.Friend
Messages: 4
Registered: October 2010
Junior Member
Thanks for the suggestions. Unfortunatley, creating our own custom Jetty Server is not a good option for us and I am really looking for a way to disable the equninox jetty http host name validation either programatically, via config.ini, system property of plugin extension point.

Also, I tried setting jdk.internal.httpclient.disableHostnameVerification=True but that did not fix the issue.
Re: How to disable Jetty Host SNI validation check for HTTPS Connection [message #1847040 is a reply to message #1847026] Tue, 12 October 2021 21:12 Go to previous messageGo to next message
Dmitry Dukhov is currently offline Dmitry DukhovFriend
Messages: 192
Registered: February 2013
Senior Member
enough add this two strings before start Jetty just inside source code

Properties props = System.getProperties();
props.setProperty("jdk.internal.httpclient.disableHostnameVerification",Boolean.TRUE.toString());
Re: How to disable Jetty Host SNI validation check for HTTPS Connection [message #1860965 is a reply to message #1847040] Tue, 12 September 2023 10:05 Go to previous message
Deepak Abraham is currently offline Deepak AbrahamFriend
Messages: 2
Registered: September 2023
Junior Member
Hello,

I am using Jetty 11.0.15 through Spring 3.1 and Java 17 - in embedded container mode - upgrading from Jetty 9 that is used in Spring 2.6.x with Java 11
The TLS / HTTPS calls are now failing with Quote:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI


Setting the suggested system property (jdk.internal.httpclient.disableHostnameVerification) via code in System properties does not work. Nor does setting any of the below as VM properties work:
 -Djdk.internal.httpclient.disableHostnameVerification=true -Djetty.sslContext.sniRequired=false -Djetty.ssl.sniHostCheck=false -Djetty.ssl.sniRequired=false


For our local and CI testing we use localhost or an IP which would result in SNI check failures.
Would like to disable the SNI checks but I don't see a way of configuring this without accessing the Server object before creation which is not an option for me.

Is there any system property or a way of configuring embedded Jetty to disable all the SNI checks?
Previous Topic:FileUpload with result possible?
Next Topic:Dynamic theme
Goto Forum:
  


Current Time: Sat Jul 20 07:59:55 GMT 2024

Powered by FUDForum. Page generated in 0.03935 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top