Skip to content

FELIX-6846 Add SNI configuration support for Jetty 12 #522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
paulrutter wants to merge 8 commits into
base: master
Choose a base branch
from
Open

FELIX-6846 Add SNI configuration support for Jetty 12 #522

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ce7f539
FELIX-6846 Add SNI configuration support for Jetty 12
paulrutter Jun 24, 2026
97540bf
FELIX-6846 Add SNI integration test and update jetty12 README
paulrutter Jun 24, 2026
fbd8afc
FELIX-6846 Fix and extend SNI integration tests
paulrutter Jun 24, 2026
fa0abd5
FELIX-6846 Fix SNI test and add TLS-level sniRequired test
paulrutter Jun 24, 2026
6631565
FELIX-6846 Wait for HttpService registration in SNI tests
paulrutter Jun 24, 2026
10a99af
FELIX-6846 Document org.apache.felix.http.require.config in README
paulrutter Jun 25, 2026
fe5012f
FELIX-6846 Revert jetty12 README SNI section
paulrutter Jun 25, 2026
d3eccde
FELIX-6846 Note version the SNI properties were added in
paulrutter Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions http/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,7 @@ properties can be used (some legacy property names still exist but are not docum
| `org.apache.felix.http.timeout` | Connection timeout in milliseconds. The default is `60000` (60 seconds). |
| `org.apache.felix.http.session.timeout` | Allows for the specification of the Session life time as a number of minutes. This property serves the same purpose as the `session-timeout` element in a Web Application descriptor. The default is "0" (zero) for no timeout at all. |
| `org.apache.felix.http.enable` | Flag to enable the use of HTTP. The default is `true`. |
| `org.apache.felix.http.require.config` | If `true`, the server does not start until an OSGi configuration (via Configuration Admin) has been received, rather than starting immediately with the OSGi environment properties. The default is `false`. |
| `org.apache.felix.https.enable` | Flag to enable the user of HTTPS. The default is `false`. |
| `org.apache.felix.https.keystore` | The name of the file containing the keystore. |
| `org.apache.felix.https.keystore.password` | The password for the keystore. |
Expand All @@ -410,6 +411,9 @@ properties can be used (some legacy property names still exist but are not docum
| `org.apache.felix.https.jetty.protocols.excluded` | Configures comma-separated list of SSL protocols (e.g. SSLv3, TLSv1.0, TLSv1.1, TLSv1.2) to *exclude*. Default is `null`, meaning that no protocol is excluded. |
| `org.apache.felix.https.jetty.protocols.included` | Configures comma-separated list of SSL protocols to *include*. Default is `null`, meaning that the default protocols are used. |
| `org.apache.felix.https.clientcertificate` | Flag to determine if the HTTPS protocol requires, wants or does not use client certificates. Legal values are `needs`, `wants` and `none`. The default is `none`. |
| `org.apache.felix.https.sslContext.sniRequired` | Whether SNI is required at the TLS level. When `true`, clients that don't send a valid SNI receive a TLS failure. Default is `false`. See [Jetty SNI docs](https://jetty.org/docs/jetty/12/operations-guide/protocols/index.html#ssl-sni). Added in Jetty12 2.0.2 / 1.2.2. |
| `org.apache.felix.https.ssl.sniRequired` | Whether SNI is required at the HTTP level. When `true`, clients without a valid SNI receive a `400 Bad Request`. Default is `false`. See [Jetty SNI docs](https://jetty.org/docs/jetty/12/operations-guide/protocols/index.html#ssl-sni). Added in Jetty12 2.0.2 / 1.2.2. |
| `org.apache.felix.https.ssl.sniHostCheck` | Whether the SNI hostname must match the `Host` header. Default is `true`. See [Jetty SNI docs](https://jetty.org/docs/jetty/12/operations-guide/protocols/index.html#ssl-sni). Added in Jetty12 2.0.2 / 1.2.2. |
| `org.apache.felix.http.jetty.headerBufferSize` | Size of the buffer for request and response headers, in bytes. Default is 16 KB. |
| `org.apache.felix.http.jetty.requestBufferSize` | Size of the buffer for requests not fitting the header buffer, in bytes. Default is 8 KB. |
| `org.apache.felix.http.jetty.responseBufferSize` | Size of the buffer for responses, in bytes. Default is 24 KB. |
Expand Down
18 changes: 18 additions & 0 deletions http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,24 @@ public ObjectClassDefinition getObjectClassDefinition( String id, String locale
-1,
bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_ACCEPT_QUEUE_SIZE)));

adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_HTTPS_SNI_CONTEXT_REQUIRED,
"SNI required at TLS level",
"Whether SNI is required at the TLS level. Clients without a valid SNI receive a TLS failure. Defaults to false.",
false,
bundle.getBundleContext().getProperty(JettyConfig.FELIX_HTTPS_SNI_CONTEXT_REQUIRED)));

adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_HTTPS_SNI_REQUIRED,
"SNI required at HTTP level",
"Whether SNI is required at the HTTP level. Clients without a valid SNI receive a 400 Bad Request. Defaults to false.",
false,
bundle.getBundleContext().getProperty(JettyConfig.FELIX_HTTPS_SNI_REQUIRED)));

adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_HTTPS_SNI_HOST_CHECK,
"SNI host check",
"Whether the SNI hostname must match the Host header. Defaults to true.",
true,
bundle.getBundleContext().getProperty(JettyConfig.FELIX_HTTPS_SNI_HOST_CHECK)));

adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_ERROR_PAGE_CUSTOM_HEADERS,
"Custom headers to add to error pages",
"Felix specific property to configure the custom headers to add to all error pages served by Jetty. Separate key-value pairs with ##.",
Expand Down
21 changes: 21 additions & 0 deletions http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,15 @@ public final class JettyConfig
/** Felix specific properties to be able to disable renegotiation protocol for TLSv1 */
public static final String FELIX_JETTY_RENEGOTIATION_ALLOWED = "org.apache.felix.https.jetty.renegotiateAllowed";

/** Felix specific property to require SNI at the TLS level. Defaults to false. See https://jetty.org/docs/jetty/12/operations-guide/protocols/index.html#ssl-sni */
public static final String FELIX_HTTPS_SNI_CONTEXT_REQUIRED = "org.apache.felix.https.sslContext.sniRequired";

/** Felix specific property to require SNI at the HTTP level (returns 400 on mismatch). Defaults to false. See https://jetty.org/docs/jetty/12/operations-guide/protocols/index.html#ssl-sni */
public static final String FELIX_HTTPS_SNI_REQUIRED = "org.apache.felix.https.ssl.sniRequired";

/** Felix specific property to check that the SNI hostname matches the Host header. Defaults to true. See https://jetty.org/docs/jetty/12/operations-guide/protocols/index.html#ssl-sni */
public static final String FELIX_HTTPS_SNI_HOST_CHECK = "org.apache.felix.https.ssl.sniHostCheck";

/** Felix specific property to control whether to enable Proxy/Load Balancer Connection */
public static final String FELIX_PROXY_LOAD_BALANCER_CONNECTION_ENABLE = "org.apache.felix.proxy.load.balancer.connection.enable";

Expand Down Expand Up @@ -618,6 +627,18 @@ public boolean isRenegotiationAllowed() {
return getBooleanProperty(FELIX_JETTY_RENEGOTIATION_ALLOWED, false);
}

public boolean isSniContextRequired() {
return getBooleanProperty(FELIX_HTTPS_SNI_CONTEXT_REQUIRED, false);
}

public boolean isSniRequired() {
return getBooleanProperty(FELIX_HTTPS_SNI_REQUIRED, false);
}

public boolean isSniHostCheck() {
return getBooleanProperty(FELIX_HTTPS_SNI_HOST_CHECK, true);
}

public String getHttpServiceName()
{
return (String) getProperty(FELIX_HTTP_SERVICE_NAME);
Expand Down
6 changes: 5 additions & 1 deletion http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -578,7 +578,10 @@ private boolean initializeHttps()
);

HttpConfiguration httpConfiguration = connFactory.getHttpConfiguration();
httpConfiguration.addCustomizer(new SecureRequestCustomizer());
SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
secureRequestCustomizer.setSniRequired(this.config.isSniRequired());
secureRequestCustomizer.setSniHostCheck(this.config.isSniHostCheck());
httpConfiguration.addCustomizer(secureRequestCustomizer);

if (this.config.isProxyLoadBalancerConnection())
{
Expand Down Expand Up @@ -751,6 +754,7 @@ else if ("needs".equalsIgnoreCase(this.config.getClientcert()))
}

connector.setRenegotiationAllowed(this.config.isRenegotiationAllowed());
connector.setSniRequired(this.config.isSniContextRequired());
}

private void configureConnector(final ServerConnector connector, int port)
Expand Down
Loading
Loading