FELIX-6846 Add SNI configuration support for Jetty 12#522
Open
paulrutter wants to merge 8 commits into
Open
Conversation
paulrutter
commented
Jun 24, 2026
paulrutter
commented
Contributor
- Add three new config properties: org.apache.felix.https.sslContext.sniRequired (TLS level, default false) org.apache.felix.https.ssl.sniRequired (HTTP level, default false) org.apache.felix.https.ssl.sniHostCheck (HTTP level, default true)
- Wire sslContext.sniRequired into SslContextFactory.Server.setSniRequired()
- Wire ssl.sniRequired and ssl.sniHostCheck into SecureRequestCustomizer
- Register all three in ConfigMetaTypeProvider
- Document all three in http/README.md
- Add three new config properties: org.apache.felix.https.sslContext.sniRequired (TLS level, default false) org.apache.felix.https.ssl.sniRequired (HTTP level, default false) org.apache.felix.https.ssl.sniHostCheck (HTTP level, default true) - Wire sslContext.sniRequired into SslContextFactory.Server.setSniRequired() - Wire ssl.sniRequired and ssl.sniHostCheck into SecureRequestCustomizer - Register all three in ConfigMetaTypeProvider - Document all three in http/README.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- JettySniIT verifies org.apache.felix.https.ssl.sniRequired=true: hostname connections send SNI and receive 200 OK, IP address connections omit SNI (RFC 6066) and receive 400 Bad Request - Add SNI property table to http/jetty12/README Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Regenerate test-keystore.p12 with SAN (dns:localhost, ip:127.0.0.1) so Jetty's sniHostCheck can validate the certificate properly - JettySniIT: disable sniHostCheck to isolate sniRequired behaviour; hostname connection (SNI sent) -> 200, IP connection (no SNI) -> 400 - JettySniHostCheckIT: tests sniHostCheck=true (default); matching Host header -> 200, mismatched Host header -> 400 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The OpenJDK TLS stack does not send SNI for non-domain names such as "localhost", so the previous JettySniIT hostname case never sent SNI and was rejected. Use Jetty's NON_DOMAIN_SNI_PROVIDER to force SNI when a positive (SNI present) result is expected. - JettySniIT (org.apache.felix.https.ssl.sniRequired, HTTP level): SNI sent -> 200, no SNI -> 400 Bad Request - JettySniContextRequiredIT (org.apache.felix.https.sslContext.sniRequired, TLS level): SNI sent -> 200, no SNI -> TLS handshake failure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Enabling HTTPS via ConfigAdmin happens after initial startup and restarts Jetty, briefly unregistering the HttpService. Reading the secure port from the service reference could hit a null reference (NPE). Await the service with Awaitility before reading the port in all three SNI integration tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This existing property (default false) was missing from the properties table. When true, the server waits for a Configuration Admin configuration before starting instead of starting immediately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The SNI properties are already documented in the main http/README.md properties table; the jetty12 README addition was unnecessary. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.