qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wall (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-7567) Java Broker] Select appropriate certificate for TLS based on SNIServerName
Date Fri, 02 Dec 2016 15:06:58 GMT
Keith Wall created QPID-7567:
--------------------------------

             Summary: Java Broker] Select appropriate certificate for TLS based on SNIServerName
                 Key: QPID-7567
                 URL: https://issues.apache.org/jira/browse/QPID-7567
             Project: Qpid
          Issue Type: Improvement
          Components: Java Broker
            Reporter: Keith Wall


Enable SNI support for the Java Broker.
We will need a X509ExtendedKeyManager implementation that gets the SNIServerName from the
SSL handshakes and then selects the most appropriate certificate alias for the indicated hostname.
I found the following example helpful:
https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java
https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
This change requires Java 8, but it is probably possible to retain support for Java 7 using
reflection.
It looks to me like the clients (Qpid JMS Client and Legacy) require no changes. They both
pass the hostname through to the SSLEngine, so the SNIServerName should already be passed
through. Client side support in Java was added at Java 7.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message