Re: [jetty-users] Question about Jetty SNI functionality

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Question about Jetty SNI functionality

From: Simone Bordet <simone.bordet@xxxxxxxxx>
Date: Thu, 6 Jan 2022 15:55:50 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi,

On Thu, Jan 6, 2022 at 2:50 PM Silvio Bierman
<sbierman@xxxxxxxxxxxxxxxxxx> wrote:
>
> We have been using Jetty SNI support for years now and are very happy
> with it. We prefer not to do HTTPS offloading and have the Java server
> process handle everything. Jetty takes care of this brilliantly.

Great!

> I do have a question though: is there any way to provide the server with
> the certificates to be used for SNI handling other than having them all
> in a single key store file? Something like a directory with key store
> files or perhaps even an array with File objects or something like that?

The problem is that the Java APIs require a single KeyStore.
However, KeyStore and everything necessary for certificate
retrieval/validation could be reimplemented, so you probably can write
a KeyStore that handles certificates in directories.

A quick search:
https://github.com/Hakky54/sslcontext-kickstart
http://codyaray.com/2013/04/java-ssl-with-multiple-keystores
https://github.com/1and1/CompositeJKS
etc.

> We currently manage ~100 certificates and managing them all using a
> single key store file has become quite cumbersome. Different domain
> names are mapped to different multi-tenant servers and these mappings
> regularly change. We would prefer to assemble only the needed
> certificates in each (embedded) Jetty instance but since that would mean
> we would somehow have to generate key stores on the fly we use a single
> key store that holds all possible certs.

Generating the KeyStore on-the-fly is quite simple.
We do this in the test-keystore shipped with jetty-home, so no big deal.

If you use 1 Jetty to handle 100s KeyStores, then you need some sort
of composite KeyStore (see links above).
If you use 100 Jettys each with its own KeyStore, then I would say the
best is to generate the KeyStore on-the-fly.

> Besides being wasteful this also precludes generically allowing non-SNI
> clients on servers that manage one single domain. Non-SNI clients are
> not really a thing anymore but we have some clients who are worried
> about Qualys SSL-check noting that their application only works for
> clients that support SNI.

You can configure Jetty to allow non-SNI clients, so I am not sure why
you think it's not possible?
See this: https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-protocols-ssl-sni

-- 
Simone Bordet
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Follow-Ups:
- Re: [jetty-users] Question about Jetty SNI functionality
  - From: Silvio Bierman

References:
- [jetty-users] Question about Jetty SNI functionality
  - From: Silvio Bierman

Prev by Date: [jetty-users] Question about Jetty SNI functionality
Next by Date: Re: [jetty-users] Question about Jetty SNI functionality
Previous by thread: [jetty-users] Question about Jetty SNI functionality
Next by thread: Re: [jetty-users] Question about Jetty SNI functionality
Index(es):
- Date
- Thread

Breadcrumbs