Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI does not work with PKIX #5204

Closed
sbordet opened this issue Aug 26, 2020 · 0 comments · Fixed by #5205
Closed

SNI does not work with PKIX #5204

sbordet opened this issue Aug 26, 2020 · 0 comments · Fixed by #5205
Assignees
@sbordet
Labels
Enhancement High Priority JVM Issue Issue present in a JVM Runtime Sponsored This issue affects a user with a commercial support agreement
Projects
Jetty 9.4.32

Comments

@sbordet
Copy link
Contributor

sbordet commented Aug 26, 2020

Jetty version
9.4.x

Description
When setting SslContextFactory.Server.setKeyManagerFactoryAlgorithm("PKIX"), and the keystore contains multiple aliases to support SNI, the wrong alias is chosen for the server certificate, causing a TLS handshake error.

This is caused to https://bugs.openjdk.java.net/browse/JDK-8246262.
There are reports that not only the OpenJDK implementation "leaks" internal mangled aliases, but also the BouncyCastle implementation, which mangles the aliases in a different way than OpenJDK.

There is a need to workaround this issue to be able to use the PKIX algorithm.
@sbordet sbordet self-assigned this Aug 26, 2020
@sbordet sbordet added Enhancement High Priority JVM Issue Issue present in a JVM Runtime Sponsored This issue affects a user with a commercial support agreement labels Aug 26, 2020
@sbordet sbordet added this to To do in Jetty 9.4.32 via automation Aug 26, 2020
@sbordet sbordet linked a pull request Aug 26, 2020 that will close this issue
Fixes #5204 - SNI does not work with PKIX. #5205
Merged
sbordet added a commit that referenced this issue Aug 27, 2020
@sbordet
Fixes #5204 - SNI does not work with PKIX.
bec2cdb 
Updates after review.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet added a commit that referenced this issue Sep 2, 2020
@sbordet
Merge pull request #5205 from eclipse/jetty-9.4.x-5204-sni_with_pkix
5a87469 
Fixes #5204 - SNI does not work with PKIX.
@sbordet sbordet closed this as completed in f084f3c Sep 2, 2020
Jetty 9.4.32 automation moved this from To do to Done Sep 2, 2020
@joakime joakime mentioned this issue Mar 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbordet sbordet

Labels
Enhancement High Priority JVM Issue Issue present in a JVM Runtime Sponsored This issue affects a user with a commercial support agreement
Projects
No open projects
Jetty 9.4.32
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #5204 - SNI does not work with PKIX. jetty/jetty.project
1 participant
@sbordet