Jetty versions > 9 have SNI checking enabled by default, verifying that if an SNI value were specified that the host being asked for is a match for the details of the server certificate. As a result newer Jetty versions can refuse requests that older Jetty versions allow.
The SNI checking behaviour in Jetty is configurable, so e.g. the ability to pass through such SNI config to the programatically-created embedded Jetty instance was added in Artemis a couple years ago, via: https://issues.apache.org/jira/browse/ARTEMIS-4245 As https://issues.apache.org/jira/browse/ARTEMIS-3968 (the original request for adding such config) covers, and as you suspected, the issue is also fixable by ensuring the server certificate matches what clients ask for...either by ensuring the clients use the correct host for the certificates current details, or by ensuring the certs SAN etc details can allow for whatever host clients are actually requesting. On Tue, 12 Aug 2025 at 20:32, Matt Pavlovich <mattr...@apache.org> wrote: > > ActiveMQ is not doing anything specific regarding SNI for Jetty. I suspect > certificate or environment issues. > > Matt Pavlovich > > > On Aug 12, 2025, at 2:01 PM, Jason Jackson > > <jason.jack...@itechag.com.INVALID> wrote: > > > > Has anyone had success with disabling or setting SNI in ActiveMQ Classic > > jetty.xml? > > > > I have tried everything I have seen posted on the Jetty web site and what I > > have found in other area and nothing seems to work. > > > > I am attempting to plae a load balancer in front of some ActiveMQ instance > > and it always fails with SNI errors. I have tried pass-thru as well as > > termminating at the LB and re-initializing a new cpmnection but no luck. > > > > Here is what I have set > > > > > > <property name="sniRequired" value="false" /> > > > > -Djetty.sslContext.sniRequired=false -Djetty.ssl.sniRequired=false > > -Djetty.ssl.sniHostCheck=false > > > > > > > > > > > > Jason > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org For additional commands, e-mail: users-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
