Skip to content

FELIX-6846 Add SNI configuration support for Jetty 12#522

Merged
paulrutter merged 9 commits into
masterfrom
feature/FELIX-6846-jetty12-sni-support
Jul 14, 2026
Merged

FELIX-6846 Add SNI configuration support for Jetty 12#522
paulrutter merged 9 commits into
masterfrom
feature/FELIX-6846-jetty12-sni-support

Conversation

@paulrutter

Copy link
Copy Markdown
Contributor
  • Add three new config properties: org.apache.felix.https.sslContext.sniRequired (TLS level, default false) org.apache.felix.https.ssl.sniRequired (HTTP level, default false) org.apache.felix.https.ssl.sniHostCheck (HTTP level, default true)
  • Wire sslContext.sniRequired into SslContextFactory.Server.setSniRequired()
  • Wire ssl.sniRequired and ssl.sniHostCheck into SecureRequestCustomizer
  • Register all three in ConfigMetaTypeProvider
  • Document all three in http/README.md

paulrutter and others added 5 commits June 24, 2026 23:08
- Add three new config properties:
  org.apache.felix.https.sslContext.sniRequired (TLS level, default false)
  org.apache.felix.https.ssl.sniRequired (HTTP level, default false)
  org.apache.felix.https.ssl.sniHostCheck (HTTP level, default true)
- Wire sslContext.sniRequired into SslContextFactory.Server.setSniRequired()
- Wire ssl.sniRequired and ssl.sniHostCheck into SecureRequestCustomizer
- Register all three in ConfigMetaTypeProvider
- Document all three in http/README.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- JettySniIT verifies org.apache.felix.https.ssl.sniRequired=true:
  hostname connections send SNI and receive 200 OK,
  IP address connections omit SNI (RFC 6066) and receive 400 Bad Request
- Add SNI property table to http/jetty12/README

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Regenerate test-keystore.p12 with SAN (dns:localhost, ip:127.0.0.1)
  so Jetty's sniHostCheck can validate the certificate properly
- JettySniIT: disable sniHostCheck to isolate sniRequired behaviour;
  hostname connection (SNI sent) -> 200, IP connection (no SNI) -> 400
- JettySniHostCheckIT: tests sniHostCheck=true (default);
  matching Host header -> 200, mismatched Host header -> 400

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The OpenJDK TLS stack does not send SNI for non-domain names such as
"localhost", so the previous JettySniIT hostname case never sent SNI and
was rejected. Use Jetty's NON_DOMAIN_SNI_PROVIDER to force SNI when a
positive (SNI present) result is expected.

- JettySniIT (org.apache.felix.https.ssl.sniRequired, HTTP level):
  SNI sent -> 200, no SNI -> 400 Bad Request
- JettySniContextRequiredIT (org.apache.felix.https.sslContext.sniRequired,
  TLS level): SNI sent -> 200, no SNI -> TLS handshake failure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Enabling HTTPS via ConfigAdmin happens after initial startup and restarts
Jetty, briefly unregistering the HttpService. Reading the secure port from
the service reference could hit a null reference (NPE). Await the service
with Awaitility before reading the port in all three SNI integration tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paulrutter paulrutter marked this pull request as ready for review June 25, 2026 05:55
@paulrutter paulrutter requested a review from cziegeler June 25, 2026 05:55
paulrutter and others added 3 commits June 25, 2026 09:06
This existing property (default false) was missing from the properties
table. When true, the server waits for a Configuration Admin configuration
before starting instead of starting immediately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The SNI properties are already documented in the main http/README.md
properties table; the jetty12 README addition was unnecessary.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paulrutter

Copy link
Copy Markdown
Contributor Author

@cziegeler any feedback on the new Felix properties?

@cziegeler

Copy link
Copy Markdown
Contributor

Sorry for the late response, I guess we do not really have consistency across property names. However, the new ones have "require.config" but then "sniRequired" - so maybe we should at least align these, maybe "config.required" and "sni.required"

@paulrutter

Copy link
Copy Markdown
Contributor Author

Thanks Carsten, agreed on aligning the new ones.

Since org.apache.felix.http.require.config already exists and can't change for backward compatibility, I'd align the new SNI properties to your sni.required form and group all three under a common sni. segment, keeping Jetty's own sslContext/ssl distinction for the TLS vs. HTTP level:

  • org.apache.felix.https.sslContext.sni.required (TLS level)
  • org.apache.felix.https.ssl.sni.required (HTTP level)
  • org.apache.felix.https.ssl.sni.hostCheck

This keeps the three SNI properties consistent with each other (the host-check flag isn't a "require", so it fits the sni.* grouping better than a require.* form). Does that work for you? If so, I'll update the PR.

@cziegeler

Copy link
Copy Markdown
Contributor

yes, makes sense. thanks!

Per review feedback, rename the new SNI properties for consistency:
- org.apache.felix.https.sslContext.sniRequired -> sslContext.sni.required
- org.apache.felix.https.ssl.sniRequired        -> ssl.sni.required
- org.apache.felix.https.ssl.sniHostCheck       -> ssl.sni.hostCheck

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paulrutter paulrutter merged commit 88d5e0c into master Jul 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants