Hello Greg,
The keystore contains both wildcard certs and non-wildcard certs,
for a total of ~100 certs. If a request for a domain matching a cert
comes in the right cert is selected, totally no issues there. But
when there is no matching cert or no SNI info is provided I think
the first cert in the keystore is served. That cert does not match
the request and the client will reject it, of course. But the
details of the cert are revealed that way which is what I want to
prevent. For example Qualys SSL-labs will display a cert that it
receives when trying a request without SNI, as in
https://www.ssllabs.com/ssltest/analyze.html?d=zakelijkpanel.kpn.com&hideResults=on
So if no matching cert or no SNI info is present I want to 400 or
something.
Kind regards,
Silvio
On 08-07-19 19:32, Greg Wilkins wrote:
Silvio,
I'm sorry, but we are going to need more info that that.
Can you describe precisely the setup you have with regards to
what certs are in your keystore and what sort of cert they are
(eg wild cards etc.). Then give us an example of exactly what
you mean by random cert?
Typically jetty tries to defer as much as possible to the
default implementations, so if we can't select a cert by SNI,
we are probably letting the JRE libs do the selection... but
perhaps we are doing something wrong... so do tell us more.
cheers
Hello all,
I am using Jetty as my HTTPS front-end and have a keystore
containing
multiple certificates which are selected via Jetty SNI
support. But when
a request without proper SNI info arrives Jetty presents a
sort-of
random certificate. Is there a way to prevent this and just
have the
request fail instead?
Thanks in advance,
Silvio
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
--
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
|