We have been using Jetty SNI support for years now and are very happy
with it. We prefer not to do HTTPS offloading and have the Java server
process handle everything. Jetty takes care of this brilliantly.
I do have a question though: is there any way to provide the server with
the certificates to be used for SNI handling other than having them all
in a single key store file? Something like a directory with key store
files or perhaps even an array with File objects or something like that?
We currently manage ~100 certificates and managing them all using a
single key store file has become quite cumbersome. Different domain
names are mapped to different multi-tenant servers and these mappings
regularly change. We would prefer to assemble only the needed
certificates in each (embedded) Jetty instance but since that would mean
we would somehow have to generate key stores on the fly we use a single
key store that holds all possible certs.
Besides being wasteful this also precludes generically allowing non-SNI
clients on servers that manage one single domain. Non-SNI clients are
not really a thing anymore but we have some clients who are worried
about Qualys SSL-check noting that their application only works for
clients that support SNI.
Cheers,
Silvio
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
