Add SNI support to embedded web server SSL auto-configuration

[sokomishalov]

It would be great and useful to have such functionality out-of-box.
I'm not sure if all web-server implementations support SNI, but tomcat and reactor-netty definitely support it.

[wilkinsona]

Thanks for the suggestion, @sokomishalov. How would you expect to configure the auto-configuration if it supported SNI? I'm wondering what you had imagined the configuration properties would be so that you can provide multiple key stores and map each to a host pattern.

[sokomishalov]

Thanks for the quick reply, @wilkinsona!
Well, I suppose it could look like that:

server:
  ssl:
    enabled: true
    key-store: /path/to/key-store
    key-store-password: foobar
    key-alias: fallback
    sni:
      - mapping: foo.example.com
        ssl:
          key-store: ${server.ssl.key-store}
          key-store-password: ${server.ssl.key-store-password}
          key-alias: foo
      - mapping: bar.example.com
        ssl:
          key-store: ${server.ssl.key-store}
          key-store-password: ${server.ssl.key-store-password}
          key-alias: bar

If you'd want to use SNI, you still have to set up a fallback SSL context in that rare case when the user's client does not support SNI.
I'm not sure if it's ok to reuse SSL properties in that recursive way or just to provide new higher-level property for SNI mappings inside ServerProperties, but I think it could be possible to reuse Ssl-properties POJO somehow.
Also, maybe it could be useful to provide a property that will automatically extract DNS/IP from SAN or just CN to provide default SNI-mapping for this SSL context.
Here is my gist - netty customizer to create SNI from a single key-store with multiple aliases with current spring-boot SSL properties, which maps SSL context to domain names from SAN and/or CN. Maybe someone will find it useful.

[wilkinsona]

@SidneyLann Please use a thumbs up reaction (👍) on the opening description rather than commenting as it avoids notifying everyone watching the repository.

[SidneyLann]

server.ssl.enabled=true
server.ssl.key-store=/home/sidney/app/ssl/pc9g.com.p12
server.ssl.key-store-password=password
server.ssl.key-store-type=PKCS12
server.ssl.sni[0].mapping=gsz.pc8g.com
server.ssl.sni[0].ssl.key-store=/home/sidney/app/ssl/gsz.pc9g.com.p12
server.ssl.sni[0].ssl.key-store-password=password

Why the settings of sni not work?
exception accour:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown