Issues using certificates with multple Subject Alternate Names in Jetty
Description
Environment
Windows 2012 R2
Amazon Coretto 11
IdP 4.0.0 MSI Installer managed Jetty
Activity
Rod Widdowson May 23, 2020 at 2:22 PM
Moved the windows 9.4 branch to match latest jetty and latest other changes,
Did a build and test (including SOAP).
Renamed the artefact to make it obvious which version of jetty it is for
Built the artefact and tagged it (with a better name).
pushed everything
I think this is now done. Resolving. I close later when I'm sure its done
Rod Widdowson May 22, 2020 at 8:53 AM
Made and tested changes to the testbed pom to add this as a dependency.
I've made the same change (== cherry-picked the changes) into the windows branch
I've done the review 7 made the changes required for the jetty update
A lot of comments in xml files have been mangled in this jetty version so I have mangled our versions as well to make the diffs readable
The only functionL change is to add the .Server thing to that context factory.
Not puhing the fix pending further testing (I need to build and test an installer)
Rod Widdowson May 21, 2020 at 2:33 PM
I spotted that as soon as I'd put the comment in. Sorry
Scott Cantor May 21, 2020 at 2:13 PM
We don't really use the SNAPSHOT of this artifact, once it was built, that was what got used. I did the release this morning so it should be a fixed change now.
Rod Widdowson May 21, 2020 at 2:01 PM
We'll also need to crank a "build" of it at some stage - that is unless we want the testbed and all other jetty-base consumers (windows installer and integration test) to be using jetty94-dta-ssl-1.0.1-SNAPSHOT.jar (which I'd sooner avoid for the windows installer, although I can do a build myself if needed)
Upgraded from v3.4.6 to v4.0.0 and container would bomb out after bringing up the IDP application during the listener phase of Jetty startup with the following error:
Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
The "frontchannel" certificate on this instance has a Subject Alternate Name (which happens to be
www.HOSTNAME
, possibly inserted by the Issuing CA).