Server Name Indication (SNI)

Hello,

is there the possibility to set the server name within the request just like with 'openssl -servername <host> ... '? Background is that the keycloak is behind a gateway which has another default route. Without specifying the server name we will be redirected to the wrong backend and with that getting the wrong certificate. This leads to the following exception:

com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: No subject alternative DNS name matching <host> found.
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching <host> found.
...

The same can be replicated from command line with openssl or curl but with curl it seems that the server name is given by default.

We're looking for something like this:

private SSLEngine createSSLEngine() throws KeyManagementException, NoSuchAlgorithmException {
        SSLContext sslContext = createSSLContext();
        SSLEngine sslEngine = sslContext.createSSLEngine(PROXY_ADDRESS, PROXY_PORT);
        sslEngine.setUseClientMode(true);

        List<SNIServerName> serverNameList = new ArrayList<>();
        serverNameList.add(new SNIHostName(SNI_HOST_NAME));
        SSLParameters sslParameters = sslEngine.getSSLParameters();
        sslParameters.setServerNames(serverNameList); 

        sslEngine.setSSLParameters(sslParameters);

        return sslEngine;
    }

Did we just miss the section where this could be set or isn't it possible yet to set the server name that should be transmitted within the request?

Best regards

Comments (3)