Keith Wall created QPID-7567:
--------------------------------
Summary: Java Broker] Select appropriate certificate for TLS based
on SNIServerName
Key: QPID-7567
URL: https://issues.apache.org/jira/browse/QPID-7567
Project: Qpid
Issue Type: Improvement
Components: Java Broker
Reporter: Keith Wall
Enable SNI support for the Java Broker.
We will need a X509ExtendedKeyManager implementation that gets the
SNIServerName from the SSL handshakes and then selects the most appropriate
certificate alias for the indicated hostname.
I found the following example helpful:
https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java
https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
This change requires Java 8, but it is probably possible to retain support for
Java 7 using reflection.
It looks to me like the clients (Qpid JMS Client and Legacy) require no
changes. They both pass the hostname through to the SSLEngine, so the
SNIServerName should already be passed through. Client side support in Java was
added at Java 7.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
