From 8de7b839668986770d137957dc125417d63f46ce Mon Sep 17 00:00:00 2001
From: Simone Bordet <simone.bordet@gmail.com>
Date: Thu, 4 Mar 2021 13:09:24 +0100
Subject: [PATCH] Fixes #6034 - SslContextFactory may select a wildcard
 certificate during SNI selection when a more specific SSL certificate is
 present.

Now matching certificates are sorted, non-wildcard first, so that a more specific alias is returned.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
---
 .../ssl/SniSslConnectionFactoryTest.java      |  27 +++++++++++++++++-
 .../src/test/resources/keystore_sni.p12       | Bin 8255 -> 10672 bytes
 .../jetty/util/ssl/SslContextFactory.java     |  24 ++++++++++++----
 3 files changed, 44 insertions(+), 7 deletions(-)

diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java
index 080437c0e3c..9b78f593977 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java
@@ -28,6 +28,7 @@ import java.util.Queue;
 import java.util.concurrent.LinkedBlockingQueue;
 import java.util.function.BiConsumer;
 import java.util.function.Consumer;
+import java.util.stream.Collectors;
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
@@ -58,6 +59,7 @@ import org.eclipse.jetty.util.IO;
 import org.eclipse.jetty.util.component.LifeCycle;
 import org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.eclipse.jetty.util.ssl.X509;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
@@ -163,7 +165,27 @@ public class SniSslConnectionFactoryTest
     @Test
     public void testSNIConnect() throws Exception
     {
-        start("src/test/resources/keystore_sni.p12");
+        start(ssl ->
+        {
+            ssl.setKeyStorePath("src/test/resources/keystore_sni.p12");
+            ssl.setSNISelector((keyType, issuers, session, sniHost, certificates) ->
+            {
+                // Make sure the *.domain.com comes before sub.domain.com
+                // to test that we prefer more specific domains.
+                List<X509> sortedCertificates = certificates.stream()
+                    // As sorted() sorts ascending, make *.domain.com the smallest.
+                    .sorted((x509a, x509b) ->
+                    {
+                        if (x509a.matches("domain.com"))
+                            return -1;
+                        if (x509b.matches("domain.com"))
+                            return 1;
+                        return 0;
+                    })
+                    .collect(Collectors.toList());
+                return ssl.sniSelect(keyType, issuers, session, sniHost, sortedCertificates);
+            });
+        });
 
         String response = getResponse("jetty.eclipse.org", "jetty.eclipse.org");
         assertThat(response, Matchers.containsString("X-HOST: jetty.eclipse.org"));
@@ -174,6 +196,9 @@ public class SniSslConnectionFactoryTest
         response = getResponse("foo.domain.com", "*.domain.com");
         assertThat(response, Matchers.containsString("X-HOST: foo.domain.com"));
 
+        response = getResponse("sub.domain.com", "sub.domain.com");
+        assertThat(response, Matchers.containsString("X-HOST: sub.domain.com"));
+
         response = getResponse("m.san.com", "san example");
         assertThat(response, Matchers.containsString("X-HOST: m.san.com"));
 
diff --git a/jetty-server/src/test/resources/keystore_sni.p12 b/jetty-server/src/test/resources/keystore_sni.p12
index 39bee9040537f5e5759834762a89c160fb1046b8..e1028961f4ba7210f70e8d856288451758dc492f 100644
GIT binary patch
delta 7027
zcmY+GRZyJ^ux4T7?hxF9ySqCC2@pKE+s2*z8+Uhi3GTr?IKkZ|KyY`NQ#H5l)I5FF
zt84W`KXi4Ec%6m_dmuv<2pZ<Uuz*Km43!UkK!Zkr&JSeJf(>L){|~FM2jU|Ce=VFB
z*g%{I_CTDQdJ%JU04@d|<$pv}WN1)+Ae=aRAe=C}<^M`>XzaS|{Qs{+WoLrLwW4D@
zhJ__;aoth5AZx&!=2CC71A*u;LC_TJsPKsYcOnQ04vL)=9?3XV9@+v17Mc+jGfweK
zBdxxY_W-o2#VBNUAAk*no%Zf0VN<9@&%5KwBN2EUX1{1+KU6$p!ZCc?$<lJm2Fq49
zPGUQ)d=qKt{$#AXO|7`|7ml{aQ98Ivfw(6DH67dMgc79(=`u2tK1z?4m51#27SLAT
zXCEoHb)IzU^tf+3$#Y_&pW<3+et+I1i=9AgOK&N<C^gr?1T+?FxP;{5aPXh_X6_Qx
zsKae=xkwW_J$E4IoI!nTx)fK=z|N|Lv8MSB4y{oe`k{_VRTH$P{qB@-XB=Alv8`v)
z8dA;=Wyb?<U#M+~*KDLrBz2KA6Nr|u61FvgU>}uVS`+{4Zd-VCaa*v3ePmU~#PG99
zouOiy+%tM21uiN};?}Th?<C{krh2bF?oM3P-$ci1hkiZ^PzvXQWfj@3rth;!H3MM_
zt&}Bv>McF?PNXaw<jhq3Dds$3w4$!20{<jpS!&^NZpaqppok2JzyH0XD<P)s&<B6d
zr^)U|hlmI{?V?4@_d-hhJGopA8wyY+ncq9X4DBSUz$Ju5wjWTDDe%32p@uq>+&1}F
zhumnI5fz@#9Mv?KdZRCY8*tTdTDMh+H|drC9q;bro3K7g=sZDtm2k1KN7T}e+`BfO
z9I)*i4COVU|5$BA%TKe-fVifNn=>qMiXBSg6sbr(_qo386($v%;QT@@#G!c>nF1Hw
zYWK$jSm`DgdpBL_fZ}_lBIiUjCXDD{W^CUm4$xyHOY|;6QwzN-0iJ!D%2M91ugugn
zZLj<_84i}+_5MaZH4n-)LU7XvcpvJwi)IQSi=x;*%`uAPovg0@Cj?{dRup-%q!~%3
z8uO0KVT%V9ItN>ImT@F#K`!;lEQ~KLKur<AK&oNVybO6i(875vM`HaUXZVo!qG{d9
zROuT=h+sfbrZMEi3MVt?+s`X(XL1~G#{Bj0ybxNdp5EbKI6t`mQJDg>V@vD~lq;ot
zbO7PRpE!JqbSO_&*Q2y`F(t!y@>Vxcm-)HF%J4ma?W`DV&f-Q|zhK5L7WJ+7Sl<Qc
zytOt85JLBVo9Sz`#7^J54L@Xva8Bqv_XN)u9am*Pl;BI#RF{?Eukcd8*0MkQe(vgD
zR9&GzdE9WkJ20ao_52ywi`V&WIS96zW^gx$j&t@(TekbGbe|*xTI2fd1~b_&C#i&i
z%G!AU#gex1jpkfqjHR`{r^p^w4d)Jkh};EXF?-kLEa>^Db9!gS>W36zp()F1wskDs
zF=awe{}$Jix8)Xo_5V~w50RjYe&OKGs1FUDmFqzapfh~zUi#FVs)TiCZ>o-J0!2Z1
zoG%?^JCxmfK8fW#`h$ocmdCt$%Pe+X4a#FOxR-mNm%GcXP3XwEckvpYsL>5bYziPU
z5Vlk2&a2JsM5w}Db|a-|11DMXy+uC!ERSa7)83F3#qjq=6!IrUw5DysdDJTdC^Y6>
zu-1{P;CNW8ulkrsXm>`{%FkWQ*PjXQiO@+w$CtC$Kg6XEW$u{>8J_8pm!PwJbR)Sr
zlg{+Ux<$S0Nf)uh8iRXNxG;bT%A2NyDpKv4*~FTX{0<+orr$B>lv5IXx%l{QW5^z2
z9tJq1OhsrmaP7Y1=?HUsN;TILor#x{u%H|dST78m6FX)i5jNdoYHy@{-Jp+tl7*r|
z;WNDtv4`;%4ncOj|2>>YxEzRN@KCN$?og)el>dYI(V&s=IB;RHHEkR$C^&dIxcPaw
zIXKz*+4<N5@r3_ZMu5)`#AEpnF@T_<{tK$4E_70WWsFC8N@R&+NCgIhp(~K|i-?K<
z1Oqjo1_{JHN}Y-CikHly@drPTi-x#A>)#Kz_ij+@UiGB7_azm}v(xg-am9ufq)Q%D
zL#OR6A0S>TCGe+tNcz$r>K!aCc-r38E46W45KGNWe9a3{rdCa{f8(8)OBOml{_GWM
zLOBH}S<`uCu{P1XbhU_4M&N>G^s65>qb64LLJtzszk8V5hDn+pt>jZOe!!lQ{mvKM
zFD$DpsbevUE)|ZNVlY>jU~`Xx0$*)Fqise1X+)*g`W+CDhryz`TDoMA^GZ}0Sgc-h
z+P%XfhT{YeTb1-U<M<UHY5F1fK+f>R!$26YHDYDlRz>?-&=-<>S>FZ!6#;VVz-Hf0
zMQ}uzeDWk76wNo^LH|`=GCLkS-D5y_+e3ovpq%@`uybM|P~`g~sayNSgeMfn-*Gdv
z{ThaleZr;13&`@rqcXyW-q*OAu-KTQYNo)1Y$uZJ!C%zs^elq)Oy#Hi)FzcfM&V(A
z)_?1KQr~vQ;5F|{Qzl#57+A`5Tmg@O1VeZX3?IOgu$gr6=Mu+jTjiA?mZ@=K)Wn}^
z;~=CLiUUpVQ&!U?X<NxYOWmqZ`dNfrwiFtAbb8^tdmBd)lojpluOVD|P^|t$tArND
zexDA9_2XL9Jde{jt%8+3N);-c%-8@+MohvFMO-xfovLi{E!Bw)y<c49k2I;Y*VyZr
z_oV#OU^FO~VV=heV;`sz&-~pObmn6Mna5h6PNLatCqvK2eu%Tfd6qBkb@ZQS!R^<^
znpI{GU1_cik|~wzThc?Ts2OV85A2A(>b^Kf*h5Y8{p6gx%2ID*{lw^=;6flvdG7p;
zTbM~$_AhsvBBl}6*N;=*6_$T3e6Y$a?fwZS<!!pm7mA)gPr_3?Yy*N=`Uu%+ClePH
z+7=9+lewzxCw~5Xo~G)2!#v>@kvPBnT<je>>*@Ty!2_|n{>eLGJ^S07Zjp*;$J!8*
zaHM1Y@_Ap%_H{uOE+aMxe(w@6W#K>E=Q#;5Fk*WB%444`)3p*3?}g&a$Ku++CxZ9`
zI{iL~J>Mg@jfSa#G0s?Lze^o;*l%k`Tt6)SX@jU!V}Tk*y3q8m;qR5&PR6Yo+~^pu
zg1JB-K-Q91ZM{%JJw?=;%X}{0^zZ&+PL?l19EKIk=swEt5!~ciNx2&UGWE<zW33`!
zZ0hPhq_ouYw8d?@Luyn7_iM%BXZ)Ecm@{2IlIFFtk`Ewelzr0XlG(o1J<=U6oAazq
zV7pS{*AQ0_X%ek@$k_4ECODNE)C&JoQ`=g{6x;uTCBc)zEBL*$!b#KS{_jP?+cJ!c
zx4vcK4|<sQ8N6%xGYoh@{RQUM&@k_p4Hp%r%sUt&mlfXCD0=R`T3K1WJpUIBoCo=O
zu*gO=dssZVJx$4g<BfK<rNe_V7$y2S@HP-m`^oT<=m{lvC8c+!<(n#bMOPhOZ76RA
z?0eR1E`;1H-Z}Hb1@6}e`Fi@1QwLehRj*B%ckn9A%{TrpOXi}00BgE5&%{%@42u)=
zc+t~&wrLV??`k=wUr(gB>W#-bZuQuZQ(-%966=7+NzU~-7nyZ6Ir?2TquHFAuJ%oV
zfP-Gai!r07KAlObA-7d)YL42(@j#?Ha{M0Tgdc%^Nyb%YIL-JEtZh)yw-ucV2w?~Q
z5|JM32hQWe@A-TH(Pui*Lr+KW-ww%lUzK{(I(ZH#+9i$bo0N;VA1R6IFy1!WXKw5y
zk+Gli0zNUa9h2`goM=9~#%y&8SVt+(8%PErSBHNPP+PTRzg9_q$4|e~w(kemo2kY^
zTJEDsY}-Wd{Q241oE$L~WlNv>odUnKSCZ%4rOFA(SPt<5Xdgq_hs^oaLR*`RG;ZlU
zhBt4m1;TYy=?)FgFK>ApmRCkOKz71KO515B^?UNf&c!PV<PXFO&i$L(bI~I*ha=${
zy~w_!1;o8(v~341C|^LFq2@ZEGL;)AJ7sI!q;eFBjpPy=dWqilMr>8qiey<Paam)k
zxui#cm(U-;sXaH)9$Y<5rE%b%pcCxAsv%t=SG$FZ$d;uiPz<vLPEztzNjW9C-Ht>A
zsSUoyypyj+rDXGR5X$&J(+2n!Qj}{}pM2e09n4hCq@GFx^*xZII}{|YI-F9fkTDxM
zN0T`Xz<j1yKevd-X--c|iUUa^8Y*J{z|_LSn7aVN1_s{M<QAdHid;+xDe?)tGj<gj
zt<WW|FDH?+6l$i*d4}<|uAx6G@*R_c+Vto3YBIYW7R&i9iAMM^1`7#2+4<XT*GfOC
z-ct+nDIPC$>jGm1#O+2~^oI~7Mg@((XJLL<Z>u&Mz#8T`66-En3g=Q!u9~FHU73qY
zoJ|HMYQ!5&?e3>R&xU*r7Z(Or0s`NR?64stAkG3xc~sxyW~DC{q*;WLMFEIVY~)20
z2j&^OU|rfLsm|v%D@uDhDdKKQ1T7-H(fdPwY^`2WI?v7iJe({XgZrd1?;ajXd43}w
zFAi(&>=b=gWpV#IR9tP|={iFzmPxWjsUBb*YeTaW-N#f*d_JQH{w(1}t==8c`{a$=
zb#$yHMrjV0^mswqwbqfH;iOeQH1I6bAW1AgW&g?Ukf}z-c!?gCMdzoBG#v3W;umI4
z0MW8;aKFKm?FR?M^4P1QkLFnLAB1i9^v?HW^5+)=SXG}N*LQL;;eRNoPJ)snLh%6A
zj4k31f^~MzO2mZxfBqL~j3m->Lbt}=qV$-a&Vp|&ql*6AkrOQD#n&-gtL|k?I5&Y^
zj9zXApTsW_;)+b~+yd3xqNqok&#Rm_!v{<fM!WUFG|4b@bpd81_Jnij8QNF(3}+4N
zvC!EY=XN;ehw2;@oWu(oVQQ}GeA2)Y{VSg~V$Y**iXC;oL|9(l7dMCOy1z-&-4o`C
zxjW;Jo58H8rSjl)N<Olt(5%q9sC$b#<g0Z@4{kYd{oyG6nU?uQ^rYJ}vV&nvQ0M$R
zf?P2qp$w6#wnU~6f5y8S)DE)%);C*gNJ~qjoa(>2crD^gpDc;u;x8{L6axGi-zUWh
zIA=}qr?+H`?-QuQ93&u{>(1-~R;0Aoe5xq~bG(#7f4=^xMn5$V4M_?N)PE<e(YgmZ
zT0dm`tL^bsd@B0Y_+^aFZ+vDR7HDcqNK6F&`OW$r!7b(#jw(2dSsprzc?o?v-lzQf
zJ9-FbNCk+5<hVT0?Bqr5Gy~3GbR^=NYM(#n`hYPhYK*uvK3Jl)->briIoT`EU8`|T
zANX$^&_kmZ|E<uz*M}q9b16H-w(W{2K9C+G>o62l-_x3?d_ip_=6u*8K+5msaO{Ul
zy69&)@Rnv)1R_v$$_;O2yxKE)tx_hvlKj%s$F@Y{)5UD;GH0J-WdMT!#R-E0W!{dw
z*7Fw(OX>MEqU)zqhAjsZLQXwvf;Op0Jdt=bx5ey7FTYIgr-_?SSHY6w^kmDfnw{%%
zSqWoxO>)P5Q)q*p*zi8@Zo1}|nL65z2txwB%dWq=dpj>~(+$Brx48v!16=UNelMqq
zh$b4%8`>1Pa)}n)*Ff4MSJk^(i9}>`M7?j7Tf;gD6(VFOZSl!Gdm^iBG8c){P(rGO
zQ^~bFbis_ot7&k0jxn|43(wXtb$N3ZJ@WK*bV2l}>yU)AXTa53-<>Wl5Bg_aihyY9
ze*WymFw-&n$AU@})Mc*$b0b)-ls{~XbJ?Rz;D0Lb77vp{{s6R1JAx5SMb;(Rzmjgn
z6=<{gpVoV*;V^9&D@%0MLw|#wQt_w#I28Sw;svHO$9-T-W69f?Obm;5M$EPor+5Uh
zGp`HlJV+nC!Lu`iSemZAd(azPVH1lDt9Ly)dV<dn35e^ru?xI+XDyw0pE0mM8kgs$
zI+s4^yl$e_!vQ=ss%FK|fE&b$^IlQ2da6H^I)&t~K3~TpSEa{zS41wFYT)-tmWXG-
zXHiOD6K!Ny1TU9mXn$rGeKVZ{S*mk;{Y{oDClBi8Yr3W=ilp`HqAk2}!FV}nJJ(2;
zG_<4Ik&$vK7Fpex?Wr}`Tlyeze()SH(ux>5Zl@y^-2uKI@UukQ?HxAW5$mSkN_bLt
zr->3Czji%0NB>z!I3uFQPeZq_lus#nh8~VD1uwEBx0sx!P&jmoWJybRu6@l!0XzMh
zHJ(}1qL7fyX4N$Xjh(xe!bC~2?%^-Sb5TOPaqWi&p%0aFo+GX9;3=h2hcpFo)lp#Y
zk4lXm`vCBj9n<!v2sL4y)6_<Oby+c=5{us4bZJca!$7NoDKEU-W^b@`uJ;E9)md+S
zWJB;=L?rzf80*t+?*iYxpI*@P!cL25n{xUNa!8*Ue@=JzK<a)wKF1h3x{ZpdA&>Yv
zOD?Wmzw5T6{5E#tRCgwKG_ms5lvDzwp??9f5l}AX{)iN*);D8yfN3eVED)tTtgY6Z
zonTUhy^<GyI9I9p5d}q?e_*7dF3U~Mcux?n?_)($kT;84Zu)~LrpI~`LH=L0*)-;$
z+kB6gd*W*k6V9+2P5&ezGJPvc27PWpK+nA&N-O6*yzX#a6=6M}r==TV`7y@*l+^N0
zDsZ^*P~r@1SV+5V@D#0$A-gNdlWj_Sxt<{WKHUX{(#TjbH${J!@sFKvI-zh4&XAqJ
zc{6{h37|hrVvb;3ax!IIw>wlO=tQbu3ppOZ{Wb5PW|OXOGWGr*u%!C^pTRP1NkAdW
z`Ui-3(bv%pyBh3y5Z1ld#N?vzFKJR*8JH4?)y8E#sb_FBU`q^WoWZ5Ib`pMSEHlB{
zD<Xy`l8UsT-c{W{5uzc;ABlVP?bo5cF`Ut>0I&`-<`2q%>k`PirHIMBqQZ<Q(I(Tg
z>zur$JfPvSz9^M%sk+It=x<Y)E8ySA*Qr{8vR3@tkIcFs&h>s!E&kpUi<>3`DAQkw
zb6hnucN@`4u_^}H_&v6TzF0VfRo?KSHv5SC^L)IR3Eu|%7?!MD6IpG(3q`JC-nUbU
zo}%k|8VN4eo@{5i`t4Z0=j>}Uf#pGR{sqUDr?`YoZX*;rb;R-^&p(sDL!jkfe)@Dz
zcTl=g9GPDj{cy!>YlIfn29rNDfONG2Zh}=SvS;aDc9gVE_CXnLFxVR@OuB*WXdquo
zA2{`7?9sSoa_r3l__Xf$V&6^+YiJW5szZj>+RqqI4Au_w?N#iJNlVl^xp(aIFBh2o
zYdHAW55_1?$q|v`r7QO4Do*exkri=IA2P^f#(r&F`^uVy;k?~cuk?KbqMn7f(SwBA
z{v@8cgBtID41P93YKDf!t(wY|nd0fP{T1x?LB`5*IHEa}<MvV<C~JL0s57wmH&a|1
z{xXn9;)>}?3_h^MLIAZG+%_Ru%;A|dvoHnZ3wh)&gZ+zj)BG)oXP=MD+u;?5PdFPK
zX%z_{)}YMjeFURD+z8cyB_8z=CaOuiIslIntz)GcrQ9u9{*2j7jKuqXepMdC##Ru0
zLV3k>17O8O$>Sj<)RWxlLBTv(XB(s^ar#RD1JZU~()5il5Z5gN&H)Z$l#{y}$7hLz
zH-Y|fX)@=B66#U_ajP~%4fOk=>Mpi0yzAi3u~BmR)FCyAFcXkd*kxK<D}+W(R<-&3
zn(-1B4`Jy^;+5s25_&@Zkq~2dLF2qm*-p^BZvb+IWNJw}Eo^opw#VJG)Un}a`iAn;
zJMrH@XI9Cok#Z}GzARuhDMuvU(4CCL+An%N9`WFu&aYdx@sLiQ74%-*Y9S=iV2IwV
z2Z?Kp9c7LWI|4yw;wg@PB#3hRV43rX2FQUD*)g3fl2jKyDMV)sl%21rj7Cm}WTou6
z9T(f<XAv`32g1ikpGl=6+}^ZeEMSCsd>Ny7P)JVjv~4IVlnI^GoW2cSx|B9K;-QeF
z%Mg`sEuW<?<*;wN<njT1H28c%qlD1h7NJjexfduO0{|2r<9AS5t2B{7=f}GRF=eE4
z35Ot+If<vA8(({cgK~xTA<a;fb7?Qp%HD1z(gm;mVE1=j0m}o&ylC|5N6y%y)WDAl
zv2ld1J3>Y6b?p4sawF}x!jTkdD&edv9f<qKRz3<?^T<;Wh5DY;D%oOWm^xW@>`+aM
z^;?}az=np@<6G3;w&}<?J!r*7L!TttmNCe^b=-`r*im?k`&%(%utXkRJ-_hqk=|^V
z^3(h1hXEy(&;au+rOG~0>WqxmqlUOhimu_k2R|*f+mBcbWd$O-kf_G?%Cs2?rX2r>
zZ%4(8bYBV%SutOHVRdvdKKYa4H{)rPd7GqH0&#~$AhYq#k=bZ?WTCTRlZ1Fx(?a3Y
zw~U$Ap=O#VAe<s1=~qXSEPJzwtRRvgYMcI@sbF7nIIrM-u;k}oBbzIp$N2S48$CA%
zebd%%m^{6cxPDjT+l(Q~Y0*PH^}mZ8HXIoYY?OjOlUj`{8ZDUj;01o4a)WZB%=K?k
z0q%uMY+7Jq7W^cBcmWEIorQyR_%M3Tk_tQOWd+9ZD<ZLtV(zFD((Y7Y$fg6I?x@AW
zP1sOa>7hIDQH{+erM(D*y2ruM3DAt6ei3jU@79pVg^-Obm-7o>4m<6?MOv(vXFv8|
zTD&=@{32Fvj8fp7=ftaJKb&+odDTm62b!O!Kr^0ly==Ss+KNQmvAbfsUq&zKw2d6=
zEndf+EB4?%XTO(;AYSz>8<9oe)d~An2>v}KS6Oj>6A8Q?mvTC%6!l}CB)cw?E3R!q
z`;6MjEH+RnG(-{+lNTk(wUaL2xH9}}FW4Y7<c6^&QLkMZ^-syLy<Q-42w63AGC*Wr
zi_{&CX2R2SY=@RAK=>-!QgibhC5Hs<VkYv79LupHk|rLht>Kq_$Q?_GR&6QC(>H^H
z9j)`=9@Wh0$}#H@@nC&hLr_gH{<qh&Z%&<fFgg>QdOD)-de};`zbP=drv^|RP08s#
z)u1yg@R6uQE>m;vbpLp6=F>(<Km%rGQ-)kDcK@U=?5zH~6EBVY`^If#UgRJFJ14QE
z@F2?4=4bQBZuGwYQQn<bXmKWh_|RZexj9LzAG`up>3v(wGCZNA4263gWSu@cs+DJ=
z*;ZE<&KujswcIFafNLfAk0igKOKgXnR-%7gr)Z?XJDTL+3`QciwL}<U;J@c(C%(wJ
znd75jk{O~S+R8*x>L&D+yot5-rhkXoalz9rbW;j`z<|^XL9TP9Y>-`)osu019*zke
z21Eo01&d2RcMZQ)r6#0LY1N)pA#{3pGJyn(d+^i~-y72|wlHU#>CX_nOr1T34T6CV
G&Hq2)5q}>5

delta 4592
zcmV<M5fARLQ@=nxFoGaE0s#Xsf*<q-2`Yw2hW8Bt2LYghALRssAK@^9AKfs54tWL%
zDuzgg_YDCD0ic2oY6OA~W-x*dVzE7B4jd6&1_>&LNQU<f0S5-4f)PzHf)Pmq0RS+9
z5kiwr6div-RA1~Nl5FMIt2$@sHx9fb1^x5_0|3KNfPxVS>-?D4sLeE-zv3Q_+Q-wI
zJ`r?l`Vo@_qxj@Qpk0scSV(|(C;_4-D{a*`3piX)d2`Wk9f}OFq+XrB7-CXLnWAUo
zpeNIX3ywD|di6=2w(yrZXVxU8HvF-}d_LoEq^y4c85dC3ZPPtQ$WBw_P6jN1ur@5g
z2;_TGBKd=Y2QUbLOlGGI`Xx~{Y${x`^~Ho1T6{FeWAz;b|AB280(Qyb+x7({>he$Y
zeAJ2ImU&SG>47T+!BS-LRGq#nUPK)KkXr>+a7UJL{`<*D3p4<+1~EGjt{>6_>Pe&K
zMd5!xu?!)`W~8#5>xcCKGQE+@E}QK}3u|_t9)Od!C`HbvvnvavqwoimZ@-9EZPp;g
zqMulw<BRx7#3tJ#5Urr`)n-U*)z_HI&=$q-@Oryp$3KD=agY_q6TggLm2Ntmyf3q>
zvbL9-dcR2q=x7662LD@&4~onjuNiX8q_Te$t8aB+(y*quzXA^nUBnXwKw6SP!ZpYi
zFY?33c=H``wm$tMOud9AwAn<aa_rO#<D8dd<N`A}q0+mUFVU8fJHGMx-rphe3?^hn
z65!}#ZBQK4C$Ox?%?EDGUnXCafjzAzSs-CTkh37-v8p5Icy{6gZq2bfL~+OHp38sW
z0@bSJ_Ym2pvCjw`;H`zg?Z$utsddFEQF5T<*D#YYBz|9GIZ~DqIXlwimGT@>N9rnu
z5cTRbD>y;fr|CY#8~GyE|9?>A7Vt;lxcbJSTMiNxSarZEd9xOK2;e~~9<E3g#1n39
zy>K)69)1s;YK_LkONIy6XH1ZfSOb4RYBja(%F@XX@&zEF-*7(K3|0=#Jp8j+*Polv
zEt?1+q+Vk5#z#%h+TE@-*}+s)AQrb%9F<4Ox5xM4$np=ieQ=sz2l%RiERGf#*>n5a
z(VLnwI<xtmu3*8uQT$(b&U2Q9GwK;VEt{j7lJ-Cu&dgkXrvEH!Z>Ge`tTTUnVqc)?
z8B!U>KEnLS8%Vk+Iq^J5%0QrIKl3%mOm)cUU`j8=pA^BHrP^ffh7Q?+G<J~kwIb=*
zcsAPinW|h#&-b6P*uQGii^O#gGtrU#x}$n&=S_#DL`e6Sh@9G04WHr-@8o~ICh2<J
zV$Bz{k~fvG_eM!Gzso3H1`L0BnoH9x47>QX>&|pjR`Me?`_Qq;EX3jxSkihU)2wfa
z%N8U=GSIHRk62!%*0&f`^{F=&!?zMj)4)v@sYluyMXE55z>>7+?(%Tl`4f^P)tn*b
z3%V*FTWR4k!j_`Jn%uo+&>;)z^3Ez~nqRf=+%4h@&&)Zl$w3kS`r3cn|L|?@V}zjE
zA7>z5G%E!(?GcU1Dduy-*kRW55N1gTV%J^w3_mG0{5VMlN(Pff$I3kRtNP{MkJNWG
z!<IfpaU6UWR0H93Vq6%2|3}a@U+Lq4Amu&UPbw=%viL9^55_T0_O53-4ZxxPniBzK
z*H{W)a&@d=hw4dKVzz%AwuMo{NS+<}X`sWT%pqmXL-BYDx5qPPfcPm7Ch!K<wi=k1
zRPC^LwY0`%wG5El#x&hyu}!*+dJZYeF!jLy7@EbwC&}%YqqFT^s(BHU(5U%dR*1n4
zc!v8z5N*4h{HKY3RjaYBa)q~_0U0S`0O-{l>+c~)gN`U~81;WghH6qR{alPDU;RKG
zWrd#m&D%vw-^x<pmi7x-P1MW99>;{lrWO?ewl7ie+C*mW!HOQyNl{Xxx<paD6J?5R
z2NpF9KMUzj*c#g?`obwl&AuM9Ix}_xfwzI$;}LSJcFWTEfKD#X_8PZ~rY_S{D58~x
zf#EQ<hz3u|9@Kx(sT8^X5Zdu)$t)AUV&P-mg7dEUo8Ys|<_X?68;0H4IbFtN%wbxj
zQS*k?vIZw$2X=lLo$IGAf5rMG=&;Y%AC<h9mxRE#DlRt|(hePdhS~1~cRRfxd^my?
z!<u_nm@#jYO{ar0xZ<oEZ`C;IoF>-=NaTg=3n|`R?g@XjB^x)grN~Qsa?iM0-tvB|
z8M~(%(0Xdt)J5TRU^@cs&jtCgH5Pcuq>}*7ACZA)r7baP0t%3*#0-JlBXpbxypJu6
zcvq`o4INB}NU+p}%VLh#Ab!G~=`Dr4ei=MiVG737(53b***z7>MI{W5IV*tyH3V=9
zZw=~OS~Y*xZ>lKRRy={~Cbo)+ZX%*3lRb=eM#16j`r*bQefW2XfpySrBkZ#^v!rwg
z(GqbYP~;LCeF7vhnpEyF_=EFQ`tPL0De+a*zWPmAF9frs_PLDxZd;snFAon0od*v=
zUv27ex+!p?JIw9#7``hLumDlu2wc&%pq6zdbtHd9(&?5rH4$tF$)f+RvmOPK3hcGB
zm2EeKy~6YIV`qLLi`+&Yel~QJLqzY=0n}nFgl^!%yPfOLqQjwg3LG=GYHKtmDjw;l
z5^N>ZOLC3cUJc>6+JRMgR%LP*Y<v0-8!wD^xZ=9?Kqd`=i{#j=_9aX?v{*}-&Jni9
zzZ-u?k{^fKCYR;1gG#&YrHC7}1{i9T|A^WVwL##nzp7C%10gNvGWR3t7Q?X?s>Uh|
z@1(|o%xmbfIvLxx{!Pk|DxV5dq%wc1VR37M7*N|Qr$QR7n@g{lDu4zfw^|v{-gvvF
zsRq=}W55*9^lbLof{%c=I@TXKUoRd9R$+g42jr=3)3`DV`a$QGWNN}bDR^P=nCb;;
z7ck`7^gTdNK?C@Lk|Qyrf<`ZIyZ3nAfc#Lq+3`iDrUps)P3b`fHf(w@$Ux$h7-tvL
zM|_B}us5n}h&c(fHHO}z2dQojY4-@6!a?@I^Euct^YqmsDp#gTmw>|vUhm3v9H@UI
zAV*wPvy#{33ygiv^2wApO^@SQ(08~Hc?qY)<L64}&W2ophgMVpIwKSfrBkslj$}q7
z-ukRDlPrq2%IR2x%yXhCP($#m0&T?YTb7yT`7jXY;SVPne+cgU(qrla4#yp&caR2z
z75_K#M_~F<LK1Syn(@|_<Q?<b0Uv*t-CnPd#DtK{nInH``lNPeJ9>^?MD`_#`~mGq
zfa)V;Eu2hqh~Cc#N4EI$sNW0DUqx~HC2*33@6SV78I&mc<uQs~GyEOs%i12c=T&4i
zXV6ED5_s<3jX=)A?6Fgp(C@t`nI6kkLRLlBar#u<;Pb&;gUHclVv%p#;d_4}7_?R9
zTNWQ$X|!85JgJgW@U1`)U(cXuU6BOU2LK^+r8iEe2UMK!C)XyR;`4YID8RXqW$+j$
zJ@QxFmo6DFe}8eBRN8zWGo*_MI0d%FuKVmcEkAf^2SWyCmVNyPxu9yDi{nNjcZ*$;
zqcLRa`C&FXhfOvIey7!;kzRjsMF5<}G*u%pV-)4`E+=<mpT5_$WFJ|<zMt}<!VxG*
zq5$_0^qJ-~3L3mB$Wzs9J`%?g3Zf&akiU-|mt$AgEo{{*^)08hYYL77%s!6}gl@h0
z=3PjPUNi%}Rx*Ie6EDoCkG?1iNv>`vgwWNM!k-#9nW*^|H(j&2kWGKP-7otvjRJ?=
z(j)r*v}V#tif>jG$V`}n9eN*I=GPUXi7X{f+)wX^(4LpxCysK(%5gLhOX-+;w2*CL
z*iDAhGl$7)8UtD%tWRYpY#I@FFiOs)U$UB+n9UbjM$ekpAUL<t%yza}=o!ojJCGb#
zYRhSAV#2x^F2M<&P4s^zVg^n>ilrPlAXXnr7}$0_+SMcJUS?7lI!CLtI3dONSnR+}
z8+^q^m=2Vn%;01obJo<{!(Q=FzhSsBcky{YnAetpoO=0ceq@%51O`XE=t{@6-N6*b
zd1V4OoddjaXD~=$a4?Q!qbCI?m@G+&F2yhPc=i6omkUb5crSmSLOf%*r!5r&;Pz1a
z5Fe&MR1`gcp8LaI)HzScS0+HEfEWLpy4PtbP8WF)-iEGP)y4r*7b37N@eRg<t?4Pm
zVbE3Oy;8Aa6`fB5wDZcK98%Y|&2zR2jt?g1AK082Vo;n$0peU>0xJQD5U=;zfU=7a
zyEcWtodPHOVs3v8vReK64#%9m0pVAzV3W}U0wV^X_%W;?+?~m6g#q~Xq071BW+fwx
z%Uv)PUILEi#gi+N131pNDrPnqH?sf+w2m}epn1#rbT7yiXDm7k?3-#?D$-%(vsxlV
z3O^!CAGOa90$J!3`myb*t834{P);E_6=L6pt?nLN{pWvY&St;;H*#Ch4dUUS@SuBt
zVB}82aNGw{%|Pg(f+AeB@U&;H)1B$2O03$F^?15^*|AsEgQ1b_xRKHeJ!-sPus0+*
z59;;8sm>a^SM~yXONc1?b-05>8NN9HayF8IA_z#Fz~G#0iq<mE2?tB8!jh7qO>B(`
z7}0O{n<IZNrLF}yB_1>_TBTq8w~RWq5neb*XyG;^ZD96JlB=a7avx!>wRYUe;(w_c
z$np;&o=s-Tu{d#T0*X*_MoK7Uu8*alq5U%d+esV++&mMK2X13E^K6g47$wA8Y__iB
z()UZnMgk?}Llx0um_gCI{_Cs|5sCT3W%JRAWm$g;BJwi~u`4}*`>h;)%=RW$T+aWa
z9EK<yMqZEsl-c?agq4vcLm{?Hpdj3%Ng4T2c?bh4E?fe6LbCWKi2ack>N@5Z59*Pw
zjb(T9eX!8mqwu;#yW_iNhq%@ig;cA4>SquR?wc$KbFUVv^ik%D`zN8z^Y~*VdTi~4
zG4Ox8A2lcGrJuMbuB8{fTl(Fd43q}6-+VV(Q`Td2Di>dnT94ZE3>V-uCMvPxjQK=j
zHnKm{=uo?HzhWC3s&%YCiTasCbgmezo3)JB59{q@Ks-zT<LmiIGGRG2?w^6}YGVVi
z*kUGu+cA~Lt!ehMNeQP@i>7tb&_w-rUfF-4qo*9bA>5|7a_BGmT(8`qSI+t4Pl5L+
zp{^R4bjp_Pq87&TaO8UVg4i}h_6`&IrRU3g-{d=F?b+;hSebL3cA5h;T9NQ7ZZISe
z5gK%~TPS=Yi?rSQSsjnu&(j++kr)|a07!Z)uOrRy{mSq*X4f%B^Er!JLRE-E)x&>!
z%J9MILrB$`okG(Y+=M2?QwQHThS(w?CPA0zqdH{Kg!XzjJ2ltp{-gtVw9mB`)KUhh
zI8Cr+0)A;~8bPwN#Fe@pS|}~d+y?m6;B1xilWhntESh5-U>aQsAe~+>$?v4`|I$4f
z+{=!APg~mn*s7iy0fR~#9x^V$=!t)9z*Hnuq+O9#r2Zi%n5YkwnuaD_B;mI>Kf0f>
z!K@e+fF1cOeROJR!e!;D!ggk~<FZ&<T;F7OMb#>TPx%zf8D+}edea0euBgy*h9$f}
zIXn(fE%VpXihxDV3lHCFx7^B-w44wu(IXCm`UTheSO1iPXTSj7pD##lygYxS=!Y}Z
z?Yzh`#LxTD41%_Fe{F1gwfYC0ANFf!05)o?_fNQ_I5z5}@=5DwA!{A(_wQ810+SXx
zm2faz3Nn7Y^PGL8rVI$zH-k8c$5!0zSG4RvZ%*<){bM;F&~M7Vn`0d#iR08bG>6@D
z3G4~wN=`pf@HE|htAn~za1VdZHr96j4){}8nZC*JpQj*uT1m=p0V!)e1ld(77Xf1(
zhQQ*H-NiF!IU^YQhx(rCT$;ss0!v{xqQOxOn|MibgkAb@MVeG`oNO~{N~KwI!z5bM
z(w=JUm%%jl7QpsNTyZH6FKY!&UnCEn`3Xd}p;h7|5U}qi`XM^*$Q*wY33K1nt`BAb
zASijmW)wuq%kewgizqa>L64b-!D*3V%2E`o>-Fx)3{iR?AKD)8Qk)fn1<n!oxP^zY
zLXUY>-p`w5L-Q~`Fd;Ar1_dh)0|FWa00b14yi>Ol_KGBs*;vp@uid2qDqti86x2X@
a9>!QlC<C2&A2&iQ`(y}KPFey30fwMp3Bw5h

diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index d868e2b4a9c..1104dbd19df 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -49,6 +49,7 @@ import java.util.Objects;
 import java.util.Set;
 import java.util.function.Consumer;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.KeyManager;
@@ -58,7 +59,6 @@ import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLServerSocket;
@@ -2230,7 +2230,7 @@ public abstract class SslContextFactory extends AbstractLifeCycle implements Dum
         }
 
         @Override
-        public String sniSelect(String keyType, Principal[] issuers, SSLSession session, String sniHost, Collection<X509> certificates) throws SSLHandshakeException
+        public String sniSelect(String keyType, Principal[] issuers, SSLSession session, String sniHost, Collection<X509> certificates)
         {
             if (sniHost == null)
             {
@@ -2239,12 +2239,24 @@ public abstract class SslContextFactory extends AbstractLifeCycle implements Dum
             }
             else
             {
-                // Match the SNI host, or let the JDK decide unless unmatched SNIs are rejected.
-                return certificates.stream()
+                // Match the SNI host.
+                List<X509> matching = certificates.stream()
                     .filter(x509 -> x509.matches(sniHost))
-                    .findFirst()
+                    .collect(Collectors.toList());
+
+                // No match, let the JDK decide unless unmatched SNIs are rejected.
+                if (matching.isEmpty())
+                    return isSniRequired() ? null : SniX509ExtendedKeyManager.SniSelector.DELEGATE;
+
+                String alias = matching.get(0).getAlias();
+                if (matching.size() == 1)
+                    return alias;
+
+                // Prefer strict matches over wildcard matches.
+                return matching.stream()
+                    .min(Comparator.comparingInt(cert -> cert.getWilds().size()))
                     .map(X509::getAlias)
-                    .orElse(_sniRequired ? null : SniX509ExtendedKeyManager.SniSelector.DELEGATE);
+                    .orElse(alias);
             }
         }