You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/12/02 15:03:58 UTC

[jira] [Created] (HTTPCLIENT-1790) [Java Broker] Select appropriate certificate for TLS based on SNIServerName

Keith Wall created HTTPCLIENT-1790:
--------------------------------------

             Summary: [Java Broker] Select appropriate certificate for TLS based on SNIServerName 
                 Key: HTTPCLIENT-1790
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1790
             Project: HttpComponents HttpClient
          Issue Type: Improvement
            Reporter: Keith Wall
             Fix For: Future


Enable SNI support for the Java Broker.

We will need a X509ExtendedKeyManager implementation that gets the SNIServerName from the SSL handshakes and then selects the most appropriate certificate alias for the indicated hostname.

I found the following example helpful:

https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java

https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html

This change requires Java 8, but it is probably possible to retain support for Java 7 using reflection.

It looks to me like the clients (Qpid JMS Client and Legacy) require no changes.  They both pass the hostname through to the SSLEngine, so the SNIServerName should already be passed through.  Client side support in Java was added at Java 7.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org