dev@grizzly.java.net

Re: problems of the SNI from Lee

From: Lee You <lee.y.y.you_at_gmail.com>
Date: Tue, 3 Feb 2015 21:25:55 +1300

Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL
handshaking.

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new
class for supporting custom KeyManager is really a good idea, then we need
not care about the keyStore anymore. And our Grizzly will be more
flexible.

If there is any sample for it that would be great!

Thanks again!
Lee


>>>>>>>>>
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to
solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific
SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.

On 3 February 2015 at 12:36, Lee You <lee.y.y.you_at_gmail.com> wrote:

> Hi Alexey,
>
> Maybe it is a general question, cause, we have to convert cer certificates
> to jks keystore file(s) first before using it for the normal SSL accessing.
> But, in SNI, it is inefficient/impossible when there are number of the
> certificates in that file(s).
>
> so, we need switch to the different certificate directly in the SNI. There
> is no class to support it, we only have the setKeyStoreXXX in
> SSLContextConfigurator for the keystore.
> Currently, I am trying to use KeyStoreSpi, but I don’t know how to
> integrate it with our SNI. Here is the keyStoreSPI URL for your reference
> as below:
> http://docstore.mik.ua/orelly/java-ent/security/ch11_03.htm
>
> Meanwhile, I am also trying to overwrite the @Override [public NextAction
> handleEvent(FilterChainContext ctx, FilterChainEvent event)] of the
> SNIFilter, for switching to the matched certificate directly instead of the
> SNIServerConfigResolver, SSLEngineConfigurator or even more. Is that
> right/correct? What do you think of this? Do you have any good idea?
>
> Thanks!
> Lee
>
> >>>>>>>>>>>>
> Hi Lee,
>
> do I understand correctly, that now it's general Java question, rather
> than Grizzly, or you know how to implement what you need in Java and
> just don't know how to do the same in Grizzly?
> I don't have much experience in security area, but I remember I had to
> convert cer certificates to jks (using Java keytool) in order to use them.
>
> Thanks.
>
> WBR,
> Alexey.
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.