Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SNI - handle two or more cert in keystore

See original GitHub issue

Conscrypt can’t handle SNI. Tested with Jetty 9.4.x + Conscrypt 2.0.0. (Signle Jetty can handle it)

2019-03-25 13:03:21.364:INFO::Thread-0: Logging initialized @1677ms to org.eclipse.jetty.util.log.StdErrLog
2019-03-25 13:03:21.709:INFO:oejs.Server:Thread-0: jetty-9.4.15.v20190215; built: 2019-02-15T16:53:49.381Z; git: eb70b240169fcf1abbd86af36482d1c49826fa0b; jvm 11.0.2+9
2019-03-25 13:03:21.771:INFO:oejsh.ContextHandler:Thread-0: Started o.e.j.s.h.ContextHandler@1b43fc78{/stop,null,AVAILABLE,127.0.0.1}
2019-03-25 13:03:21.772:INFO:oejsh.ContextHandler:Thread-0: Started o.e.j.s.h.ContextHandler@11e40211{/other,null,AVAILABLE}
2019-03-25 13:03:21.802:INFO:oejus.SslContextFactory:Thread-0: x509=X509@516382a4(server1,h=[alt1.name.tld, cn1.name.tld],w=[]) for SslContextFactory@1100634b[provider=Conscrypt,keyStore=null,trustStore=null]
2019-03-25 13:03:21.803:INFO:oejus.SslContextFactory:Thread-0: x509=X509@16ba7b8e(server2,h=[alt2.name.tld, cn2.name.tld],w=[]) for SslContextFactory@1100634b[provider=Conscrypt,keyStore=null,trustStore=null]
2019-03-25 13:03:21.978:INFO:oejs.AbstractConnector:Thread-0: Started ServerConnector@15925715{SSL,[ssl, alpn, h2, http/1.1]}{0.0.0.0:50443}
2019-03-25 13:03:21.979:INFO:oejs.Server:Thread-0: Started @2292ms

Client: No subject alternative DNS name matching alt1.name.tld found.java.io.IOException: No subject alternative DNS name matching alt1.name.tld found.

Issue Analytics

State:
Created 4 years ago
Comments:9 (3 by maintainers)

Top GitHub Comments

5reactions

readonlynetworkcommented, Mar 26, 2019

SNI in Conscrypt would be a big feature for my app.

1reaction

sbordetcommented, Sep 8, 2019

@flooey we are getting more and more requests to support this feature in Jetty. If you can point us to the relevant piece of code, we may try to code it and issue a PR. Thanks!

Top Results From Across the Web

Get multiple TLS/SSL certificates using SNI automation

Server Name Indication (SNI) allows the web servers and network appliances to safely host multiple TLS/SSL certificates for multiple sites, all under a...

Handling multiple certificates in Netty's SSL Handler used in ...

I have created a small example application demonstrating how to use SNI in Netty on GitHub. The core part of how it works...

Working with Certificates and SSL (Sun Java System ...

By default, the Application Server stores its certificate information in two files in the domain-dir /config directory: Keystore file, keystore.jks, contains ...

Crush10wiki: SNI

SNI allows for a single IP and port to host multiple SSL certificates. When the connection comes in, the server uses the appropriate ......

Application Load Balancers Now Support Multiple TLS ...

You can now host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer. In order to use...