[jetty-users] Question about Jetty SNI functionality

[Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx>]

We have been using Jetty SNI support for years now and are very happy 
with it. We prefer not to do HTTPS offloading and have the Java server 
process handle everything. Jetty takes care of this brilliantly.

I do have a question though: is there any way to provide the server with 
the certificates to be used for SNI handling other than having them all 
in a single key store file? Something like a directory with key store 
files or perhaps even an array with File objects or something like that?

We currently manage ~100 certificates and managing them all using a 
single key store file has become quite cumbersome. Different domain 
names are mapped to different multi-tenant servers and these mappings 
regularly change. We would prefer to assemble only the needed 
certificates in each (embedded) Jetty instance but since that would mean 
we would somehow have to generate key stores on the fly we use a single 
key store that holds all possible certs.

Besides being wasteful this also precludes generically allowing non-SNI 
clients on servers that manage one single domain. Non-SNI clients are 
not really a thing anymore but we have some clients who are worried 
about Qualys SSL-check noting that their application only works for 
clients that support SNI.

Cheers,

Silvio