sslcontext-kickstart: If multiple certificates are configured, the browser cannot obtain the correct certificate after the host address is entered
Hello, I have configured two certificates through your library, the domain name of one certificate is www.gateway.com.cn, and the domain name of the other certificate is www.ingress.com.cn. My code is written like this
@Bean
public WebServerFactoryCustomizer<NettyReactiveWebServerFactory> sslServerConsumer() {
return factory -> {
factory.addServerCustomizers(httpServer -> httpServer.secure(sslContextSpec -> {
try {
X509ExtendedKeyManager x509ExtendedKeyManager = PemUtils.loadIdentityMaterial(
getResource("classpath:ssl/default/server.pem"),
getResource("classpath:ssl/default/server-key.pem"));
X509ExtendedTrustManager x509ExtendedTrustManager = PemUtils.loadTrustMaterial(getResource("classpath:ssl/default/ca.pem"));
SSLFactory.Builder builder = SSLFactory.builder()
.withIdentityMaterial(x509ExtendedKeyManager)
.withTrustMaterial(x509ExtendedTrustManager);
loadOtherCertificate(builder);
builder.withProtocols("TLSv1.2");
SSLFactory sslFactory = builder.build();
System.out.println("ssl init success");
X509ExtendedKeyManager keyManager = sslFactory.getKeyManager()
.orElseThrow(NullPointerException::new);
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(composeKeyManager((CompositeX509ExtendedKeyManager) keyManager))
.ciphers(sslFactory.getCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.protocols(sslFactory.getProtocols())
.clientAuth(getClientAuth(sslFactory.getSslParameters()));
sslFactory.getTrustManager().ifPresent(sslContextBuilder::trustManager);
sslContextSpec.sslContext(sslContextBuilder);
} catch (Exception e) {
e.printStackTrace();
}
}));
};
}
private KeyManager composeKeyManager(CompositeX509ExtendedKeyManager keyManager) {
return new CustomKeyManager(keyManager.getKeyManagers());
}
private void loadOtherCertificate(SSLFactory.Builder builder) throws IOException {
X509ExtendedKeyManager x509ExtendedKeyManager = PemUtils.loadIdentityMaterial(
getResource("classpath:ssl/ingress/server.pem"),
getResource("classpath:ssl/ingress/server-key.pem"));
X509ExtendedTrustManager x509ExtendedTrustManager = PemUtils.loadTrustMaterial(
getResource("classpath:ssl/ingress/ca.pem"));
builder.withIdentityMaterial(x509ExtendedKeyManager)
.withTrustMaterial(x509ExtendedTrustManager);
}
private static ClientAuth getClientAuth(SSLParameters sslParameters) {
if (sslParameters.getNeedClientAuth()) {
return ClientAuth.REQUIRE;
} else if (sslParameters.getWantClientAuth()) {
return ClientAuth.OPTIONAL;
} else {
return ClientAuth.NONE;
}
}
private InputStream getResource(String path) throws IOException {
Resource resource = ResourceUtils.getResource(path);
return resource.getInputStream();
}
When I input www.ingress.com.cn on the browser, the console printed www.gateway.com.cn, there is no other way to match the correct certificate, and the certificate displayed on my browser is www.gateway.com.cn, can you help me
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 31 (13 by maintainers)
The return value of ExtendedSSLSession’s getRequestedServerNames method contains the domain name of the client requesting server, a feature supported by SSLv3
Yes, very helpful to me, I just need in such a function
Thank you. I’ll take your advice
Thanks, because I am still in a meeting, I will pull it down and try to use it in my local code tomorrow when I have time. If there is any problem, I will continue to give you feedback, and I hope you will not be bothered by my problem