Added clarifying comment to KeyStore content.

Restored precise check when a SAN is present. Signed-off-by: Simone Bordet <[email protected]>
jetty · Dec 9, 2023 · f620f99 · f620f99
1 parent 832f19e
commit f620f99
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java
@@ -149,20 +149,23 @@ public void testSNIConnectNoWild() throws Exception
     {
         start((ssl, customizer) ->
         {
-            // Disable the host check because this keystore has no CN and no SAN.
+            // Disable the host check because this keystore has no CN and a SAN only for www.example.com.
             ssl.setKeyStorePath("src/test/resources/keystore_sni_nowild.p12");
             customizer.setSniHostCheck(false);
         });
 
+        // This request won't match any CN or SAN, so the "default" certificate will be returned.
         String response = getResponse("www.acme.org", null);
         assertThat(response, Matchers.containsString("X-HOST: www.acme.org"));
+        // The JDK implementation may return aliases in random order, so the
+        // "default" certificate could be any of the two present in the KeyStore.
         assertThat(response, Matchers.either(Matchers.containsString("X-CERT: OU=default"))
                 .or(Matchers.containsString("X-CERT: OU=example")));
 
+        // This request matches a SAN in the KeyStore.
         response = getResponse("www.example.com", null);
         assertThat(response, Matchers.containsString("X-HOST: www.example.com"));
-        assertThat(response, Matchers.either(Matchers.containsString("X-CERT: OU=default"))
-                .or(Matchers.containsString("X-CERT: OU=example")));
+        assertThat(response, Matchers.containsString("X-CERT: OU=example"));
     }
 
     @Test