New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-11003] Add documentation describing how to define an SSLContextfor SNI in the WildFly Elytron subsystem. #11659
Conversation
@@ -1999,6 +1999,41 @@ use custom implementations of the following components: | |||
When creating custom implementations of Elytron components, they must | |||
present the appropriate capabilities and requirements. | |||
|
|||
=== Configuring SNI | |||
|
|||
Using the WildFly Elytron subsystem it is possible to configure an SSL context which supports SNI. By supporting SNI if an SNI host name is available whilst the SSLSession is being negotiation a host specific SSLcontext will be selected. If no host specific SSLContext is identified either because no host name was received or because there is no match a default SSLContext will be used instead. By identifying a host specific SSLContext it means that a certificate appropriate for that host can be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor detail but
host specific SSLcontext
Should probably be SSLContext
to match the rest of the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also in that same clause...
s/is being negotation/is being negotiated/g
@jamezp Can you please remove the 'rebase-this' label - this one is ready to go in. |
… for SNI in the WildFly Elytron subsystem.
I killed the CI jobs since it's only a doc change. |
[WFLY-11003] Add documentation describing how to define an SSLContext for SNI in the WildFly Elytron subsystem.
|
||
This example assumes that three SSLContexts have been previously defined following the steps available previously in this document, those contexts are `jboss`, `localhost`, and `wildfly`. | ||
|
||
During negotiation of the SSLSession if the SNI host name received is `localhost` then the `localhost` SSLContext will be used, if the SNI host name is `wildfly.org` then the `wildfly` SSLContext will be used. If no SNI host name is received or if we receive a name that does not match this will fallback and use the `jboss` SSLContext. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, as .
(dot) character in the mapping is used as a reg-exp character, then wildfly.org
will match e.g.: wildflyLorg
, wildflyborg
, etc., see https://issues.jboss.org/browse/WFWIP-102.
Thanks for submitting your Pull Request!
Please make sure your PR meets the following requirements:
[WFLY-XYZ] Subject
orWFLY-XYZ Subject
https://issues.jboss.org/browse/WFLY-11003
This pull request is adding documentation for the SNI support added under PR: -
wildfly/wildfly-core#3513
For bigger changes, major and minor component upgrades make sure your PR also meets following requirements:
For new features ensure as well:
If you are not an active contributor of the WildFly project you can request sponsorship by one of the members to help guide you through the process.