Using simple java HttpsServer listing on multiple interfaces with individual certificates per interface










0















I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.



Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.



In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like



certForInterfaceA --
+-- intermediateCA1 -- intermediateCA2 -- rootCA
certForInterfaceB --/


Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.



I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.



Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.



I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.










share|improve this question


























    0















    I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.



    Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.



    In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like



    certForInterfaceA --
    +-- intermediateCA1 -- intermediateCA2 -- rootCA
    certForInterfaceB --/


    Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.



    I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.



    Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.



    I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.










    share|improve this question
























      0












      0








      0








      I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.



      Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.



      In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like



      certForInterfaceA --
      +-- intermediateCA1 -- intermediateCA2 -- rootCA
      certForInterfaceB --/


      Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.



      I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.



      Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.



      I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.










      share|improve this question














      I need a simple, embedded HTTPS server (preferably com.sun.net.httpserver.HttpsServer) that listens on multiple interfaces and uses the correct certificate per interface.



      Luckily, the IP of each interface corresponds to a unique DNS name. In other words DNS reverse lookup returns the correct CN for the certificate to be used and SNI (Server Name Indication) is not required.



      In the first step, I followed this answer to include the HTTPS server into my application. My certificates are signed using a chain of two intermediate CAs and a final root CA. E.g. the chain of trust looks like



      certForInterfaceA --
      +-- intermediateCA1 -- intermediateCA2 -- rootCA
      certForInterfaceB --/


      Everything works fine, if I modify my code such that the HTTPS server only listens to a specific interface and if I exclusively put the corresponding certificate (together with its private key and the chain) into the keystore as a single PrivateKey entry.



      I hoped that everything would still work if the HTTPS server listened to the wildcard address and if the keystore had two PrivateKey entries, one for each interface. I hoped that the Java library would figure out by itself what the correct certificate is to be sent back to the client depending on the request.



      Unfortunately, tests show an unreliable and unpredictable behavior. It seems as if the library picks one of the keys randomly. E.g. I get an certificate error due to a name mismatch in half of the cases.



      I tried to look at the Java Reference for javax.net.ssl and at the Java Security Guide and to figure out what I might miss. I thought there should be a way to hook into the library to provide the correct key while the SSL session is going to be established. But I was lost. I did not even understand how the individual classes (HttpsServer, SSLContext, SSLSession, TrustManager, KeyManager) interact with each other and what the correct place is to select the correct certificate depending on the request. The whole doc is this kind of "get-a-factory-for-a-provider-that-gives-you-a-strategy-for-a-factory-for-your-object"-style that I do not get it.







      java ssl https ssl-certificate keystore






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 13 '18 at 12:25









      user2690527user2690527

      267320




      267320






















          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53280971%2fusing-simple-java-httpsserver-listing-on-multiple-interfaces-with-individual-cer%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53280971%2fusing-simple-java-httpsserver-listing-on-multiple-interfaces-with-individual-cer%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Top Tejano songwriter Luis Silva dead of heart attack at 64

          政党

          天津地下鉄3号線