Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SNI (Server Name Indication) for the HTTP server #17036

Merged
merged 1 commit into from
May 7, 2021
Merged

Add support for SNI (Server Name Indication) for the HTTP server #17036

merged 1 commit into from
May 7, 2021

Conversation

cescoffier
Copy link
Member

With SNI enabled, the server can handle multiple certificates. During the TLS handshake, the client indicates the service name allowing the service to looks for the correct certificate and completes the handshake.

The JKS and PKCS12 format allow the key stores to contain multiple certificates. However, the PEM format does not allow that. For this reason, the configuration of the PEM certificate and key are now accepting lists of paths. The previous (singular) form are deprecated but still supported.

SNI must be enabled explicitly as the server cannot verify if the key stores contain multiple certificates (JKS / PKCS12).

This commit does not enable SNI on gRPC, as the gRPC server does not handle it. See vert-x3/vertx-grpc#70 for details.

Fix #16851

@cescoffier cescoffier requested a review from stuartwdouglas May 6, 2021 06:18
@quarkus-bot
Copy link

quarkus-bot bot commented May 6, 2021

Thanks for your pull request!

The title of your pull request does not follow our editorial rules. Could you have a look?

  • title should not end up with dot

This message is automatically generated by a bot.

@cescoffier cescoffier changed the title Add support for SNI (Server Name Indication) for the HTTP server. Add support for SNI (Server Name Indication) for the HTTP server May 6, 2021
stuartwdouglas
stuartwdouglas requested changes May 6, 2021
View reviewed changes
Copy link
Member

@stuartwdouglas stuartwdouglas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good except for that one comment.

...nsions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java Show resolved Hide resolved
@cescoffier
Add support for SNI (Server Name Indication) for the HTTP server.
272119d 
With SNI enabled, the server can handle multiple certificates. During the TLS handshake, the client indicates the service name allowing the service to looks for the correct certificate and completes the handshake.

The JKS and PKCS12 format allow the key stores to contain multiple certificates. However, the PEM format does not allow that. For this reason, the configuration of the PEM certificate and key are now accepting lists of paths. The previous (singular) form are deprecated but still supported.

SNI must be enabled explicitly as the server cannot verify if the key stores contain multiple certificates (JKS / PKCS12).

This commit does not enable SNI on gRPC, as the gRPC server does not handle it. See vert-x3/vertx-grpc#70 for details.

Fix quarkusio#16851
@cescoffier cescoffier merged commit a398a88 into quarkusio:main May 7, 2021
@quarkus-bot quarkus-bot bot added this to the 2.0 - main milestone May 7, 2021
@cescoffier cescoffier deleted the http-sni branch May 7, 2021 14:24
@ahus1 ahus1 mentioned this pull request Jul 19, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stuartwdouglas stuartwdouglas stuartwdouglas approved these changes

Assignees
No one assigned
Labels
area/vertx
Projects
None yet
Milestone
2.0.0.Alpha3
2 participants
@cescoffier @stuartwdouglas