Don't require that SNI hostname must match server certificate

1 files changed, 2 insertions, 1 deletions

diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index caeaf0bcf0a..4e984d57808 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -143,7 +143,8 @@ public class ConnectorFactory {
         // TODO Vespa 9 Use default URI compliance (LEGACY == old Jetty 9.4 compliance)
         httpConfig.setUriCompliance(UriCompliance.LEGACY);
         if (isSslEffectivelyEnabled(connectorConfig)) {
-            httpConfig.addCustomizer(new SecureRequestCustomizer());
+            // Explicitly disable SNI checking as Jetty's SNI checking trust manager is not part of our SSLContext trust manager chain
+            httpConfig.addCustomizer(new SecureRequestCustomizer(false, false, -1, false));
         }
         String serverNameFallback = connectorConfig.serverName().fallback();
         if (!serverNameFallback.isBlank()) httpConfig.setServerAuthority(new HostPort(serverNameFallback));