Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Are Subject Alternative Names compulsory for SSL in Jetty 9.4.18?
If you are using Embedded Jetty, make sure you are using the SslContextFactory.Server for your server, and not the generic SslContextFactory.

Example:

        server = new Server();

        sslContextFactory = new SslContextFactory.Server();
        sslContextFactory.setKeyStorePath(KEYSTORE_1);
        sslContextFactory.setKeyStorePassword("storepwd");
        sslContextFactory.setKeyStoreType("JKS");
        sslContextFactory.setKeyStoreProvider(null);

        HttpConfiguration httpsConfig = new HttpConfiguration();
        httpsConfig.addCustomizer(new SecureRequestCustomizer());
        connector = new ServerConnector(server,
            new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
            new HttpConnectionFactory(httpsConfig));
        server.addConnector(connector);

If you are using the jetty-home artifact then check any custom XML you have in your jetty-base directory that is setting up a SslContextFactory to ensure it's using the appropriate side (Client vs Server) and not the generic one.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Sat, Sep 14, 2019 at 9:34 PM Sonali Dasgupta <sonalidasgupta95.2011@xxxxxxxxx> wrote:
Please note that keystores which worked without SAN in jetty 9.4.8 , now give "No subject alternative name" errors on running the applications on jetty 9.4.18 . Does that not signify that SANs are compulsory with jetty 9.4.18 ? Also , these keystores already have CN. 

Would appreciate a more detailed explanation on this issue , from the jetty developers. Also , the error seems fully related to Jetty,  since it stems from jetty SSL Context. 

Thanks 

On Sun, 15 Sep, 2019, 3:38 AM Simone Bordet, <sbordet@xxxxxxxxxxx> wrote:
Hi,

On Sat, Sep 14, 2019 at 7:05 PM Sonali Dasgupta
<sonalidasgupta95.2011@xxxxxxxxx> wrote:
>
> Are Subject Alternative Names (SANs) in keystores compulsory while configuring SSL over Jetty server (version 9.4.18) ?

No.

> Is there a property which on being set , allows SSL configuration without SANs in the keystore z/

I don't understand this, and it has nothing to do with Jetty how you
setup your keystore.
If you don't want to use SAN, you just use the CN (perhaps with a wild
domain) and you're good to go.

> Facing critical issues hence help will be appreciated.

If you need critical support for Jetty, you can lookup commercial
support from Webtide: https://webtide.com.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top