Hi, On Thu, Jan 6, 2022 at 2:50 PM Silvio Bierman <sbier...@jambo-software.com> wrote: > > We have been using Jetty SNI support for years now and are very happy > with it. We prefer not to do HTTPS offloading and have the Java server > process handle everything. Jetty takes care of this brilliantly.
Great! > I do have a question though: is there any way to provide the server with > the certificates to be used for SNI handling other than having them all > in a single key store file? Something like a directory with key store > files or perhaps even an array with File objects or something like that? The problem is that the Java APIs require a single KeyStore. However, KeyStore and everything necessary for certificate retrieval/validation could be reimplemented, so you probably can write a KeyStore that handles certificates in directories. A quick search: https://github.com/Hakky54/sslcontext-kickstart http://codyaray.com/2013/04/java-ssl-with-multiple-keystores https://github.com/1and1/CompositeJKS etc. > We currently manage ~100 certificates and managing them all using a > single key store file has become quite cumbersome. Different domain > names are mapped to different multi-tenant servers and these mappings > regularly change. We would prefer to assemble only the needed > certificates in each (embedded) Jetty instance but since that would mean > we would somehow have to generate key stores on the fly we use a single > key store that holds all possible certs. Generating the KeyStore on-the-fly is quite simple. We do this in the test-keystore shipped with jetty-home, so no big deal. If you use 1 Jetty to handle 100s KeyStores, then you need some sort of composite KeyStore (see links above). If you use 100 Jettys each with its own KeyStore, then I would say the best is to generate the KeyStore on-the-fly. > Besides being wasteful this also precludes generically allowing non-SNI > clients on servers that manage one single domain. Non-SNI clients are > not really a thing anymore but we have some clients who are worried > about Qualys SSL-check noting that their application only works for > clients that support SNI. You can configure Jetty to allow non-SNI clients, so I am not sure why you think it's not possible? See this: https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-protocols-ssl-sni -- Simone Bordet --- Finally, no matter how good the architecture and design are, to deliver bug-free software with optimal performance and reliability, the implementation technique must be flawless. Victoria Livschitz _______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
