Netty custom SSL certificates support based on sub-domain
305 views
Skip to first unread message
aruld...@gmail.com
Dec 31, 2013, 4:04:28 AM12/31/13
to ne...@googlegroups.com
Hi,
I have a requirement to serve custom SSL certificate based on the sub-domain the request originates. For example, when a user accesses https://client1.example.com, I will have to serve the web page with client1's certifcates from Java Key Store. I am planning to store server alias (ex: client1) with a Key Pair that has X509 key and certificate in the key store. Certificates would be loaded to the key store and accessed in a thread safe manner. I am using Play framework 1.2.7 which uses Netty 3.4.2. Play implements this in Netty ChannelPipelineFactory and delegates it to Netty's SslHandler. Would it be possible to implement this in Netty by having an SSLEngine per sub-domain?
Appreciate any suggestions. Is there a commercial support for Netty? I am interested in exploring that option as well.
Thanks!
Arul
I have a requirement to serve custom SSL certificate based on the sub-domain the request originates. For example, when a user accesses https://client1.example.com, I will have to serve the web page with client1's certifcates from Java Key Store. I am planning to store server alias (ex: client1) with a Key Pair that has X509 key and certificate in the key store. Certificates would be loaded to the key store and accessed in a thread safe manner. I am using Play framework 1.2.7 which uses Netty 3.4.2. Play implements this in Netty ChannelPipelineFactory and delegates it to Netty's SslHandler. Would it be possible to implement this in Netty by having an SSLEngine per sub-domain?
Appreciate any suggestions. Is there a commercial support for Netty? I am interested in exploring that option as well.
Thanks!
Arul
Norman Maurer
Jan 1, 2014, 5:20:11 AM1/1/14
to ne...@googlegroups.com
I may be wrong but as far as I know you need one certificat per dedicated ipaddress . So if you need to use multiple certificates you need to serve from different ips
--
---
You received this message because you are subscribed to the Google Groups "Netty discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netty+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
aruld...@gmail.com
Jan 1, 2014, 5:34:32 AM1/1/14
to ne...@googlegroups.com, norman...@googlemail.com
Thanks Norman.
Yes, that is an option, but we would like to implement this at the server side, if possible. The other option is to implement SNI on the server-side. But, this is supported only in JDK 8.
- Arul
Yes, that is an option, but we would like to implement this at the server side, if possible. The other option is to implement SNI on the server-side. But, this is supported only in JDK 8.
- Arul
Graham Edgecombe
Jan 1, 2014, 7:21:57 AM1/1/14
to ne...@googlegroups.com
Hi Arul,
Java 8 has server-side SNI support which you can use to do this
without one IP per certificate. Most web browsers support SNI, the
notable exceptions are IE running on Windows XP and some old versions
of Android, however, usage of these is declining.
I've thrown together a minimal example of how to do it on GitHub:
https://github.com/grahamedgecombe/netty-sni-example
It works by creating a custom KeyManager implementation, which
forwards most of the method calls onto Java's default KeyManager
implementation (which in turn reads the certificates/keys from the JKS
file). However, it overrides the chooseEngineServerAlias() function
and adds logic to choose the certificate alias to use based on the
hostname requested via SNI:
https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java#L41
Graham
Java 8 has server-side SNI support which you can use to do this
without one IP per certificate. Most web browsers support SNI, the
notable exceptions are IE running on Windows XP and some old versions
of Android, however, usage of these is declining.
I've thrown together a minimal example of how to do it on GitHub:
https://github.com/grahamedgecombe/netty-sni-example
It works by creating a custom KeyManager implementation, which
forwards most of the method calls onto Java's default KeyManager
implementation (which in turn reads the certificates/keys from the JKS
file). However, it overrides the chooseEngineServerAlias() function
and adds logic to choose the certificate alias to use based on the
hostname requested via SNI:
https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java#L41
Graham
Reply all
Reply to author
Forward
0 new messages