Jason-
Next step would be to enable SSL debugging on client and server side to inspect
the handshake
Available Java SSL debug arguments (configure in bin/setenv) in increasing
verbosity:
-Djavax.net.debug=ssl
-Djavax.net.debug=ssl:handshake
-Djavax.net.debug=ssl:handshake:verbose
-Matt Pavlovich
> On Aug 13, 2025, at 2:11 PM, Jason Jackson
> <jason.jack...@itechag.com.INVALID> wrote:
>
> I set it in the SSL Context how you have it there and with the same entries
> you have listed.
>
> I will check and verify again.
>
>
> Jason
>
> ________________________________
> From: Matt Pavlovich <mattr...@apache.org>
> Sent: Wednesday, August 13, 2025 11:41 AM
> To: users@activemq.apache.org <users@activemq.apache.org>
> Subject: Re: ActiveMQ Classic Jetty SNI Settings/Options
>
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
> Jason-
>
> Where did you try setting the sniRequired in the properties in the jetty.xml?
>
> The conf/jetty.xml is in Spring format, so the syntax is slightly different
> from the jetty.xm bean wiring, but you can get the same results.
>
>
> The SslContextFactory$Server bean appears to be the one to set the values:
>
> <bean id="SecureConnector"
> class="org.eclipse.jetty.server.ServerConnector">
> <constructor-arg ref="Server" />
> <constructor-arg>
> <bean id="handlers"
> class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
> <property name="keyStorePath"
> value="${activemq.conf}/broker.ks" />
> <property name="keyStorePassword" value="password"
> />
> <property name=“sniRequired" value=“false" />
> <property name=“sniHostCheck" value=“false" />
> </bean>
> </constructor-arg>
> <property name="port" value="8162" />
> </bean>
>
>
> Matt Pavlovich
>
>> On Aug 13, 2025, at 7:47 AM, Jason Jackson
>> <jason.jack...@itechag.com.INVALID> wrote:
>>
>> Thank you Matt and Robbie for the response.
>>
>> I did notice that Artemis does have settings for SNI, for some reason I have
>> not been able to disable SNI for Classic using an of the documented options
>> from Jetty.
>>
>> I am running ActiveMQ Classic 6.1.7 which uses Jetty 11.0.25, I am wondering
>> if there is a bug or some other issue that is preventing the disabling of
>> SNI.
>>
>> I will read over the information again and verify my settings.
>>
>>
>> Jason
>>
>> ________________________________
>> From: Robbie Gemmell <robbie.gemm...@gmail.com>
>> Sent: Wednesday, August 13, 2025 8:01 AM
>> To: users@activemq.apache.org <users@activemq.apache.org>
>> Subject: Re: ActiveMQ Classic Jetty SNI Settings/Options
>>
>> CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you recognize the sender and know the
>> content is safe.
>>
>>
>> Jetty versions > 9 have SNI checking enabled by default, verifying
>> that if an SNI value were specified that the host being asked for is a
>> match for the details of the server certificate. As a result newer
>> Jetty versions can refuse requests that older Jetty versions allow.
>>
>> The SNI checking behaviour in Jetty is configurable, so e.g. the
>> ability to pass through such SNI config to the programatically-created
>> embedded Jetty instance was added in Artemis a couple years ago, via:
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-4245&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669724721%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=cIf74j4A3PX7rH4LgwDr2nq%2BzKKi8q8d0976EK1ZMSQ%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-4245&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669758479%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=CUjpNNs0DFpT5501EcDwWmWymU1Rx6M31OngLlab%2FNg%3D&reserved=0><https://issues.apache.org/jira/browse/ARTEMIS-4245>
>>
>> As
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-3968&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669775097%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=28qm%2FEYLuviaiqFWURtt64cbUxEHWE2NRyqdJtVRtuA%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FARTEMIS-3968&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669792259%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=bM8EoJwNBumWeqvYljtO1w8ZSEOG7dvK3jwMho3mM7I%3D&reserved=0><https://issues.apache.org/jira/browse/ARTEMIS-3968>
>> (the original
>> request for adding such config) covers, and as you suspected, the
>> issue is also fixable by ensuring the server certificate matches what
>> clients ask for...either by ensuring the clients use the correct host
>> for the certificates current details, or by ensuring the certs SAN etc
>> details can allow for whatever host clients are actually requesting.
>>
>> On Tue, 12 Aug 2025 at 20:32, Matt Pavlovich <mattr...@apache.org> wrote:
>>>
>>> ActiveMQ is not doing anything specific regarding SNI for Jetty. I suspect
>>> certificate or environment issues.
>>>
>>> Matt Pavlovich
>>>
>>>> On Aug 12, 2025, at 2:01 PM, Jason Jackson
>>>> <jason.jack...@itechag.com.INVALID> wrote:
>>>>
>>>> Has anyone had success with disabling or setting SNI in ActiveMQ Classic
>>>> jetty.xml?
>>>>
>>>> I have tried everything I have seen posted on the Jetty web site and what
>>>> I have found in other area and nothing seems to work.
>>>>
>>>> I am attempting to plae a load balancer in front of some ActiveMQ instance
>>>> and it always fails with SNI errors. I have tried pass-thru as well as
>>>> termminating at the LB and re-initializing a new cpmnection but no luck.
>>>>
>>>> Here is what I have set
>>>>
>>>>
>>>> <property name="sniRequired" value="false" />
>>>>
>>>> -Djetty.sslContext.sniRequired=false -Djetty.ssl.sniRequired=false
>>>> -Djetty.ssl.sniHostCheck=false
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Jason
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org
>>> For additional commands, e-mail: users-h...@activemq.apache.org
>>> For further information, visit:
>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669808818%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=rWtzEiYVuldxfDs3aX44KBs763TSjOQ%2B7hZHfULdyfs%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669822888%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=R39XI0xo%2BatQcpnlYbpwoW82nw%2FAddA653m4dG9Yuc4%3D&reserved=0><https://activemq.apache.org/contact>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org
>> For additional commands, e-mail: users-h...@activemq.apache.org
>> For further information, visit:
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669836044%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jmrTOJevji1E66jPPcQ1KYiJ5rCJb0ny3VvoqKrCa4I%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=05%7C02%7Cjason.jackson%40itechag.com%7C6ddad436af7c4357dd9008ddda8045eb%7C07e5f1b9902a4d9f974c04601319bfec%7C0%7C0%7C638906966669848426%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=YW2LEz6CR5FalGL0y8Qhld33o4FmQ7q8ghH7gRxnqY4%3D&reserved=0><https://activemq.apache.org/contact>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org
For additional commands, e-mail: users-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact
