diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-10-26 17:16:35 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-10-26 17:16:35 +0200 |
commit | 439b1242e595f0cd60ed8f6e1fab48c6bb40fdfa (patch) | |
tree | 53a755e26c45cc62a7dd9137537a74ae8f7f70f9 /container-core | |
parent | b625822c3a6d24c459debbe3c2e5e11372a9ab10 (diff) |
Don't require that SNI hostname must match server certificate
Diffstat (limited to 'container-core')
-rw-r--r-- | container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index caeaf0bcf0a..4e984d57808 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -143,7 +143,8 @@ public class ConnectorFactory { // TODO Vespa 9 Use default URI compliance (LEGACY == old Jetty 9.4 compliance) httpConfig.setUriCompliance(UriCompliance.LEGACY); if (isSslEffectivelyEnabled(connectorConfig)) { - httpConfig.addCustomizer(new SecureRequestCustomizer()); + // Explicitly disable SNI checking as Jetty's SNI checking trust manager is not part of our SSLContext trust manager chain + httpConfig.addCustomizer(new SecureRequestCustomizer(false, false, -1, false)); } String serverNameFallback = connectorConfig.serverName().fallback(); if (!serverNameFallback.isBlank()) httpConfig.setServerAuthority(new HostPort(serverNameFallback)); |