SNI (Server Name Inclusion) for HTTPS connections.
#
SNI allows for a single IP and port to host multiple SSL certificates. When the connection comes in, the server uses the appropriate keystore with the certificate based on the domain name used. SNI requires Java 1.8 or higher be used on the CrushFTP server side.
1.) Edit the HTTPS server_item in your prefs page, advanced tab. Enable the SNI checkbox. Then it will be SNI ready and can be used.
2.) On the HTTPS port, you need a keystore specified...it can be anything generic, but I suggest putting in www.domain1.com stuff in it...its name must be "main.jks". The name is important to follow along with the example.
3.) Now you need two other files. www.domain1.com_main.jks and www.domain2.com_main.jks All files should be in the same folder that you specified for main.jks. Each should have their own set of keystore info, do not put multiple in one keystore as that is not how the system is designed. They must all use the same passwords too.
Now when a browser connects it hints at the domain being used as part of the SSL, CrushFTP then loads that particular keystore and uses it for that connection. So based on the domain used, you will get a different keystore.
(No UI is provided for this config until this situation becomes more widespread in its usage.)
Add new attachment
List of attachments
Kind | Attachment Name | Size | Version | Date Modified | Author | Change note |
---|---|---|---|---|---|---|
jpg |
sni_https_port.jpg | 629.5 kB | 1 | 10-Jul-2020 14:40 | Ada Csaba | |
jpg |
sni_portecle.jpg | 101.0 kB | 1 | 10-Jul-2020 14:40 | Ada Csaba |