Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-7567

[Broker-J] Select appropriate certificate for TLS based on SNIServerName

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: qpid-java-broker-7.1.0
    • Component/s: Broker-J
    • Labels:
      None

      Description

      Enable SNI support for the Java Broker.
      We will need a X509ExtendedKeyManager implementation that gets the SNIServerName from the SSL handshakes and then selects the most appropriate certificate alias for the indicated hostname.
      I found the following example helpful:
      https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java
      https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html
      This change requires Java 8, but it is probably possible to retain support for Java 7 using reflection.
      It looks to me like the clients (Qpid JMS Client and Legacy) require no changes. They both pass the hostname through to the SSLEngine, so the SNIServerName should already be passed through. Client side support in Java was added at Java 7.

        Attachments

          Activity

            People

            • Assignee:
              kwall Keith Wall
              Reporter:
              kwall Keith Wall
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: