Hi Lee,
if you could set the KeyManager for SSLEngineConfiguration would it help
to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific
SSLEngine (before starting handshake) - would it help?
WBR,
Alexey.
On 02.02.15 15:36, Lee You wrote:
> Hi Alexey,
>
> Maybe it is a general question, cause, we have to convert cer
> certificates to jks keystore file(s) first before using it for the
> normal SSL accessing. But, in SNI, it is inefficient/impossible when
> there are number of the certificates in that file(s).
>
> so, we need switch to the different certificate directly in the SNI.
> There is no class to support it, we only have the setKeyStoreXXX in
> SSLContextConfigurator for the keystore.
> Currently, I am trying to use KeyStoreSpi, but I don’t know how to
> integrate it with our SNI. Here is the keyStoreSPI URL for your
> reference as below:
> http://docstore.mik.ua/orelly/java-ent/security/ch11_03.htm
>
> Meanwhile, I am also trying to overwrite the @Override [public
> NextAction handleEvent(FilterChainContext ctx, FilterChainEvent
> event)] of the SNIFilter, for switching to the matched certificate
> directly instead of the SNIServerConfigResolver, SSLEngineConfigurator
> or even more. Is that right/correct? What do you think of this? Do you
> have any good idea?
>
> Thanks!
> Lee
>
> >>>>>>>>>>>>
> Hi Lee,
>
> do I understand correctly, that now it's general Java question, rather
> than Grizzly, or you know how to implement what you need in Java and
> just don't know how to do the same in Grizzly?
> I don't have much experience in security area, but I remember I had to
> convert cer certificates to jks (using Java keytool) in order to use
> them.
>
> Thanks.
>
> WBR,
> Alexey.