SNI on server side

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SNI on server side

John Jiang
Hi,
I'm using bctls-jdk15on-158.jar.
I added server name extension to client side, exactly DefaultTlsClient. That works fine.
My question is how to take server side, exactly DefaultTlsServer, to support SNI.
I suppose server side is able to setup multiple certificates. But I don't know how to do that.

Thanks!

John
Reply | Threaded
Open this post in threaded view
|

Re: SNI on server side

Peter Dettman-3
Hi John,
You can get some ideas from the BCJSSE class ProvTlsServer. In
particular, look at:

    ProvTlsServer.processClientExtensions
    ProvTlsServer.getServerExtensions

After the extension negotiation, an SNI-aware server will then know what
server_name the client was targeting and can then e.g. choose from
multiple server certificates, or forward the rest of the handshake
somehow based on the server_name, but there's no helper code for any of
that as we don't really know what the common patterns are yet.

Regards,
Pete Dettman

On 13/12/17 11:53 pm, John Jiang wrote:

> Hi,
> I'm using bctls-jdk15on-158.jar.
> I added server name extension to client side, exactly DefaultTlsClient.
> That works fine.
> My question is how to take server side, exactly DefaultTlsServer, to
> support SNI.
> I suppose server side is able to setup multiple certificates. But I
> don't know how to do that.
>
> Thanks!
>
> John