Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Docs for SNI support

42 views
Skip to first unread message

Brad Wood

unread,
Jul 22, 2022, 8:20:26 PM7/22/22
to Undertow Dev
Are there any docs or examples or explanations for how to use SNI with Undertow.  I've spent some time Googling and the only hits I can find are stack over questions pointing to the Redhat JIRA and the Jira ticket to add support.


However, the JIRA ticket has no information whatsoever on what was implemented or how to use it other than Stuart saying 

> There is now build it support for this via io.undertow.protocols.ssl.SNISSLContext

The rest of the conversation appears to be unrelated to what was actually implemented.  I've read all the java docs and source code and there are no comments and no explanations anywhere.  I've looked at the one unit test that uses SNI and it's not clear what it's doing, there are no comments, and it doesn't even seem to be using more than one domain so it's not even a useful example!  

It would appear at some high level, that I'm supposed to be using SNIContextMatcher.Builder() to create an SNIContextMatcher instance, but it's not clear if every domain must have a totally separate SslContext instance that has a keystore with only a single cert or if they can all share the same SslContext so long as that context contains all the needed certs inside of it's keystore.  

Can I get some clarification please?  

Brad Wood

unread,
Aug 8, 2022, 1:14:09 PM8/8/22
to Undertow Dev
Any input on this question?

Flavia Rainone

unread,
Aug 10, 2022, 2:15:50 AM8/10/22
to Undertow Dev
Hi Brad!

In fact, we don't have any docs on this.

The usage is still pretty straightforward, you need create a SNISSLContext, and for that, you are right, you need your SNIContextMatcher:

```SNIContextMatcher matcher = new SNIContextMatcher.Builder().
                              .... // include here all the configuration you need for sni, pointing sni server names to SSL Contexts and/or defining a default SSLContext
                              .build();
SNISSLContext sslContext = new SNISSLContext(matcher);```

Once you've done the above, you can use the ssl context in your https listener configuration in the same way you would use a standard SslContext.

I expect that the context could be shared across domains. AFAIK, given the way things are wired internally, you should not have any problem with that, but let me know if you run into any issues.

Best regards,
Flavia

Brad Wood

unread,
Aug 10, 2022, 9:56:09 AM8/10/22
to Flavia Rainone, Undertow Dev
Are you saying that if I create a single keystore with N server cert public/private key pairs and then create a single SSL Context from that keystore, and I re-use that same SSL context for N domains in the matcher, Undertow will dig through the keystore and find the correct cert to use based on the incoming hostname requesting SSL negotiation?  And all this, of course, would need to take into account the CN and SNAs of each cert.  

That's my understanding of SNI, but I couldn't find any code anywhere in undertow actually introspecting the certs, so I'm not convinced that's what happens.  If I'm required to manually parse through the certs and figure out which certs correspond to which domains and then create N SSL contexts containing N keystores (each with a single server cert) that makes my implementation requirements completely different.  

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 



--
You received this message because you are subscribed to the Google Groups "Undertow Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to undertow-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/undertow-dev/c41c9d30-1fc7-4a90-95d4-bf4e4222c2f1n%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Brad Wood

unread,
Aug 31, 2022, 1:49:50 PM8/31/22
to Undertow Dev
Did you see my follow-up question here?  I'm trying to nail down the expected behavior at least before I spend any further development efforts testing this.

Flavia Rainone

unread,
Sep 5, 2022, 1:15:42 PM9/5/22
to Undertow Dev
Hi Brad,

Sorry for the delay! We've been busy with some tasks related to WF and I haven't been around during the majority of the previous week, which made my response even more delayed.

The SNIContextMatcher class is the one responsible for matching SSLContexts with server names. So, you need multiple SSLContexts, one per each server name. You need to add each server name/ssl context pair to the SNIContextMatcher, linking the server name to the SSLContext that you want used for that particular server name. You can also, alternatively, use a wildcard as the server name in case you have a single SSLContext shared by more than one domain. And you can also set a default ssl context, that will be used whenever the server name in the SNI handshake does not match any of the server names you added to the matcher.

It is the resulting SNISSLContext that can be shared across the multiple domains in Undertow, because the code will be able to do the matching of server name whenever a new SSL connection to the server is open by a client.

I hope that clarifies your question, but let me know if you have more questions about this :-)

Brad Wood

unread,
Sep 5, 2022, 2:16:22 PM9/5/22
to Flavia Rainone, Undertow Dev
Thank you for the clarification.  It does make sense, but it isn't what I was hoping to hear, lol.  Based on the comment thread of the ticket, there was discussion of having a single keystore full of certs and then looping over them to pull out the host names from each and then building out the SSL Contexts automatically which would make configuration much easier.  From what I understand now, Undertow did not implement any of that, and it will be my responsibility to have the users of my tool explicitly tell me which cert, key, passphrase combo goes with each host name so I can build out each SSLContext.

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 


Reply all
Reply to author
Forward
0 new messages