Using simple java HttpsServer listing on multiple interfaces with individual certificates per interface
I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.
Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.
In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like
certForInterfaceA --
+-- intermediateCA1 -- intermediateCA2 -- rootCA
certForInterfaceB --/
Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.
I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.
Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.
I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.
java ssl https ssl-certificate keystore
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
add a comment |
I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.
Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.
In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like
certForInterfaceA --
+-- intermediateCA1 -- intermediateCA2 -- rootCA
certForInterfaceB --/
Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.
I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.
Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.
I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.
java ssl https ssl-certificate keystore
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
add a comment |
I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.
Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.
In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like
certForInterfaceA --
+-- intermediateCA1 -- intermediateCA2 -- rootCA
certForInterfaceB --/
Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.
I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.
Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.
I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.
java ssl https ssl-certificate keystore
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.
Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.
In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like
certForInterfaceA --
+-- intermediateCA1 -- intermediateCA2 -- rootCA
certForInterfaceB --/
Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.
I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.
Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.
I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.
java ssl https ssl-certificate keystore
java ssl https ssl-certificate keystore
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
asked Nov 13 '18 at 12:25
user2690527user2690527
267320
267320
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53280971%2fusing-simple-java-httpsserver-listing-on-multiple-interfaces-with-individual-cer%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53280971%2fusing-simple-java-httpsserver-listing-on-multiple-interfaces-with-individual-cer%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
