Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 6A33A200BE0 for ; Fri, 2 Dec 2016 16:05:00 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 6946B160B16; Fri, 2 Dec 2016 15:05:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B0DB2160B24 for ; Fri, 2 Dec 2016 16:04:59 +0100 (CET) Received: (qmail 81626 invoked by uid 500); 2 Dec 2016 15:04:58 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 81179 invoked by uid 99); 2 Dec 2016 15:04:58 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Dec 2016 15:04:58 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 7DBFC2C2A66 for ; Fri, 2 Dec 2016 15:04:58 +0000 (UTC) Date: Fri, 2 Dec 2016 15:04:58 +0000 (UTC) From: "Keith Wall (JIRA)" To: dev@hc.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Closed] (HTTPCLIENT-1790) [Java Broker] Select appropriate certificate for TLS based on SNIServerName MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 02 Dec 2016 15:05:00 -0000 [ https://issues.apache.org/jira/browse/HTTPCLIENT-1790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Keith Wall closed HTTPCLIENT-1790. ---------------------------------- Resolution: Not A Problem > [Java Broker] Select appropriate certificate for TLS based on SNIServerName > ---------------------------------------------------------------------------- > > Key: HTTPCLIENT-1790 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1790 > Project: HttpComponents HttpClient > Issue Type: Improvement > Reporter: Keith Wall > Fix For: Future > > > Enable SNI support for the Java Broker. > We will need a X509ExtendedKeyManager implementation that gets the SNIServerName from the SSL handshakes and then selects the most appropriate certificate alias for the indicated hostname. > I found the following example helpful: > https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java > https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html > This change requires Java 8, but it is probably possible to retain support for Java 7 using reflection. > It looks to me like the clients (Qpid JMS Client and Legacy) require no changes. They both pass the hostname through to the SSLEngine, so the SNIServerName should already be passed through. Client side support in Java was added at Java 7. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org