Silvio, Open a feature request on github and we'll look at this. It might be simply that we can add a mode that if no SNI matches are found then we don't delegate to the normal key manager..... At least that would work if you have all SNI capable keys. If there is no SNI match and you want to select from only those certs that don't have SNI, that will be more difficult.
cheers On Mon, 8 Jul 2019 at 19:48, Silvio Bierman <sbier...@jambo-software.com> wrote: > Hello Greg, > > The keystore contains both wildcard certs and non-wildcard certs, for a > total of ~100 certs. If a request for a domain matching a cert comes in the > right cert is selected, totally no issues there. But when there is no > matching cert or no SNI info is provided I think the first cert in the > keystore is served. That cert does not match the request and the client > will reject it, of course. But the details of the cert are revealed that > way which is what I want to prevent. For example Qualys SSL-labs will > display a cert that it receives when trying a request without SNI, as in > > > https://www.ssllabs.com/ssltest/analyze.html?d=zakelijkpanel.kpn.com&hideResults=on > > So if no matching cert or no SNI info is present I want to 400 or > something. > > Kind regards, > > Silvio > > > On 08-07-19 19:32, Greg Wilkins wrote: > > Silvio, > > I'm sorry, but we are going to need more info that that. Can you describe > precisely the setup you have with regards to what certs are in your > keystore and what sort of cert they are (eg wild cards etc.). Then give us > an example of exactly what you mean by random cert? > > Typically jetty tries to defer as much as possible to the default > implementations, so if we can't select a cert by SNI, we are probably > letting the JRE libs do the selection... but perhaps we are doing something > wrong... so do tell us more. > > cheers > > > On Mon, 8 Jul 2019 at 18:56, Silvio Bierman <sbier...@jambo-software.com> > wrote: > >> Hello all, >> >> I am using Jetty as my HTTPS front-end and have a keystore containing >> multiple certificates which are selected via Jetty SNI support. But when >> a request without proper SNI info arrives Jetty presents a sort-of >> random certificate. Is there a way to prevent this and just have the >> request fail instead? >> >> Thanks in advance, >> >> Silvio >> _______________________________________________ >> jetty-users mailing list >> jetty-users@eclipse.org >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> > > > -- > Greg Wilkins <gr...@webtide.com> CTO http://webtide.com > > _______________________________________________ > jetty-users mailing listjetty-us...@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe from > this list, visithttps://www.eclipse.org/mailman/listinfo/jetty-users > > > _______________________________________________ > jetty-users mailing list > jetty-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users -- Greg Wilkins <gr...@webtide.com> CTO http://webtide.com
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
