Wildfly and SNI
amadets Jul 15, 2019 5:33 AMHi,
I was looking for solution on #wildfly-user chat but nothing. I will try here. I read that Wildfly 15 and above support SSL SNI certificate. I read documentation (chapters how to configure elytron and SNI) and forum but I don't find solution.
I am trying to configure my 2 application to use the same https port and 2 virtual host but different SSL certificate.
Step 1:
Localy, I register in my hosts file:
127.0.0.1 app1.com
127.0.0.1 app2.com
Step 2:
1st has a jboss-web.xml:
<jboss-web>
<context-root>/app1</context-root>
<virtual-host>app1</virtual-host>
</jboss-web>
and 2nd:
<jboss-web>
<context-root>/app2</context-root>
<virtual-host>app2</virtual-host>
</jboss-web>
Step3:
In default-server standalone.xml defined:
<host name="app1" alias="app1.com" default-web-module="app1.war"/>
<host name="app2" alias="app2.com" default-web-module="app2.war"/>
Step4:
Open a web browser and type:
app1.com -> return data from app1
app2.com -> return data from app2
and all is correctly. With SSL self-signed certificate also all is ok. And certificate is the same for both.
Step5:
Enable elytron:
<https-listener name="https" socket-binding="https" ssl-context="httpsSSC1" enable-http2="true"/>
Step6:
Generate two keystore with self-signed certificates and aliases: app1.com and app2.com
Step7:
Configure elytron:
<subsystem xmlns="urn:wildfly:elytron:5.0" ... ...
<tls>
<key-stores>
<key-store name="httpsKS1">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application1.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="httpsKS2">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application2.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="httpsKM1" key-store="httpsKS1">
<credential-reference clear-text="password"/>
</key-manager>
<key-manager name="httpsKM2" key-store="httpsKS2">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="httpsSSC1" protocols="TLSv1.2" key-manager="httpsKM1"/>
<server-ssl-context name="httpsSSC2" protocols="TLSv1.2" key-manager="httpsKM2"/>
</server-ssl-contexts>
<server-ssl-sni-contexts>
<server-ssl-sni-context name="symbolicName" default-ssl-context="httpsSSC1">
<sni-mapping host="app1.com" ssl-context="httpsSSC1"/>
<sni-mapping host="app2.com" ssl-context="httpsSSC2"/>
</server-ssl-sni-context>
</server-ssl-sni-contexts>
</tls>
</subsystem>
Step8:
start server, everything is ok and open a web browser and type:
app1.com -> return data from app1
app2.com -> return data from app2
but certificate is always from 1st keyStore (exactly from keystore marked as default-ssl-context).
I test solution on wildfly 15.0.0 and 17.0.1
Why? What's wrong? Could you help me?