Oleksiy Stashok wrote:
>>
> cc'ing Alan Bateman, the leader of NIO 2.
>
>
>>>>
>>>> Can you describe what you need to create inside the
>>>> createSSLContext()?
>>> Currently, for unit test, it looks like that:
>>> private SSLContext createSSLContext() {
>>> SSLContextConfigurator sslContextConfigurator =
>>> new SSLContextConfigurator();
>>> ClassLoader cl = getClass().getClassLoader();
>>> // override system properties
>>> URL cacertsUrl = cl.getResource("ssltest-cacerts.jks");
>>> if (cacertsUrl != null) {
>>>
>>> sslContextConfigurator.setTrustStoreFile(cacertsUrl.getFile());
>>> }
>>> // override system properties
>>> URL keystoreUrl = cl.getResource("ssltest-keystore.jks");
>>> if (keystoreUrl != null) {
>>>
>>> sslContextConfigurator.setKeyStoreFile(keystoreUrl.getFile());
>>> }
>>> return sslContextConfigurator.createSSLContext();
>>> }
>>> There could be different ways to create SSLContext... Grizzly 2.0
>>> just has a helper class SSLContextConfigurator, which makes
>>> SSLContext initialization easier.
>>
>> Just out of curiosity, have you tried to talk to the JDK 7 team to
>> see if this sort of class could be part of the JRE? I've done a
>> similar interface (and classes) which I've called SSLContextFactory
>> in jSSLutils [1] to help with configuring SSLContexts, in particular
>> to configure the CRLs more easily and to be able to tweak the
>> TrustManagers. (By the way, this is already in use with the Grizzly
>> connector in Restlet.)
>> I mentioned this SSLContextFactory on the OpenJDK security mailing
>> list a few months ago, but I haven't had much feedback. (I understand
>> that they probably have other priorities, and this is not an
>> emergency indeed.)
> Interesting question.
> Alan, are you planning to improve SSL support, make it easier to
> configure for NIO 2?
I assume this is asking about initialization of the SSLContext, in which
case, Brad (cc'ed) is the best person to ask. At this time I don't think
there is anything planned.
As regards NIO2 - not directly but the new AsynchronousSocketChannel is
a lot easier to integrate with SSLEngine. I've been talking with the
JProactor guys (Alex Libman and Yevgeny Libman) as SSL is one of the
main use-cases that their filtering approach can be used to address.
Here is a recent proposal from them:
http://mail.openjdk.java.net/pipermail/nio-dev/2009-January/000339.html
They have an implementation in their repository aswell.
-Alan.