[jboss-jira] [JBoss JIRA] (WFCORE-3873) SNI support for https-listeners

[Stuart Douglas (JIRA)]

     [ https://issues.jboss.org/browse/WFCORE-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas updated WFCORE-3873:
-----------------------------------
    Description: 
Java 8 has introduced for server side SNI support.  The use case needed is having 1 jboss with more than 1 virtual servers and the customer wants to be able to use a different server certificate for each virtual server

This may already be underway because of:
  https://issues.jboss.org/browse/UNDERTOW-750, and
  Elytron commits that indicate they are thinking about SNI support (org/wildfly/security/ssl/SSLUtils has SNI matcher)


3. What is the nature and description of the request?
Want SNI support to allow two applications with different hostnames and different certificates. Alternative is having certificates apply to both hostnames.

4. Why does the customer need this? (List the business requirements here)
Avoid having overly broad certificates.

5. How would the customer like to achieve this? (List the functional requirements here)
virtual-server (vhost) configuration should tie into SSL certificates configuration somehow. probably allow one to specify an alias name in the virtual-server element

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Configure two virtual-servers with different certificates. Verify a SSL client can connect and get the appropriate certificate

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
UNDERTOW-750 but with Elytron's TLS/SSL consolidation I expect other changes are needed

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
As soon as possible in EAP 7.x


  was:
Java 8 has introduced for server side SNI support.  The use case needed is having 1 jboss with more than 1 virtual servers and the customer wants to be able to use a different server certificate for each virtual server

This may already be underway because of:
  https://issues.jboss.org/browse/UNDERTOW-750, and
  Elytron commits that indicate they are thinking about SNI support (org/wildfly/security/ssl/SSLUtils has SNI matcher)

2. Who is the customer behind the request?
American Express (5384240)
TAM customer: yes
SRM customer: yes
Strategic: yes

3. What is the nature and description of the request?
Want SNI support to allow two applications with different hostnames and different certificates. Alternative is having certificates apply to both hostnames.

4. Why does the customer need this? (List the business requirements here)
Avoid having overly broad certificates.

5. How would the customer like to achieve this? (List the functional requirements here)
virtual-server (vhost) configuration should tie into SSL certificates configuration somehow. probably allow one to specify an alias name in the virtual-server element

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Configure two virtual-servers with different certificates. Verify a SSL client can connect and get the appropriate certificate

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
UNDERTOW-750 but with Elytron's TLS/SSL consolidation I expect other changes are needed

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
As soon as possible in EAP 7.x




> SNI support for https-listeners
> -------------------------------
>
>                 Key: WFCORE-3873
>                 URL: https://issues.jboss.org/browse/WFCORE-3873
>             Project: WildFly Core
>          Issue Type: Feature Request
>          Components: Security
>            Reporter: Stuart Douglas
>            Assignee: Stuart Douglas
>              Labels: Previous_RFE
>
> Java 8 has introduced for server side SNI support.  The use case needed is having 1 jboss with more than 1 virtual servers and the customer wants to be able to use a different server certificate for each virtual server
> This may already be underway because of:
>   https://issues.jboss.org/browse/UNDERTOW-750, and
>   Elytron commits that indicate they are thinking about SNI support (org/wildfly/security/ssl/SSLUtils has SNI matcher)
> 3. What is the nature and description of the request?
> Want SNI support to allow two applications with different hostnames and different certificates. Alternative is having certificates apply to both hostnames.
> 4. Why does the customer need this? (List the business requirements here)
> Avoid having overly broad certificates.
> 5. How would the customer like to achieve this? (List the functional requirements here)
> virtual-server (vhost) configuration should tie into SSL certificates configuration somehow. probably allow one to specify an alias name in the virtual-server element
> 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
> Configure two virtual-servers with different certificates. Verify a SSL client can connect and get the appropriate certificate
> 7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
> UNDERTOW-750 but with Elytron's TLS/SSL consolidation I expect other changes are needed
> 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
> As soon as possible in EAP 7.x



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)