Hi Lee,
did you try to create SSLContext with custom KeyStores and then pass the
SSLContext to SSLEngineConfigurator?
SSLEngineConfigurator configurator = new
SSLEngineConfigurator(sslContext, false, ....);
In the custom KeyManager implementation (for example you can extend the
X509ExtendedKeyManager, you can chose the alias for SSLEngine before
handshake happens.
@Override
public String chooseEngineServerAlias(String string,
Principal[] prncpls, SSLEngine ssle) {
}
@Override
public String chooseEngineClientAlias(String[] strings,
Principal[] prncpls, SSLEngine ssle) {
}
Grizzly SNI Filter can pass the SNI information via
sslEngine.getSession() attribute.
Want to try that way?
Thanks.
WBR,
Alexey.
On 03.02.15 00:25, Lee You wrote:
> Hi Alexey,
>
> Yes, that is true, a specific SSLEngine is needed before the SSL
> handshaking.
>
> To add an interface in
> SSLEngineConfigurator/SSLContextConfigurator/new class for supporting
> custom KeyManager is really a good idea, then we need not care about
> the keyStore anymore. And our Grizzly will be more flexible.
>
> If there is any sample for it that would be great!
>
> Thanks again!
> Lee
>
>
> >>>>>>>>>
> Hi Lee,
>
> if you could set the KeyManager for SSLEngineConfiguration would it
> help to solve the problem?
> What if inside the custom KeyManager you knew the SNI host of a
> specific SSLEngine (before starting handshake) - would it help?
>
> WBR,
> Alexey.
>
> On 3 February 2015 at 12:36, Lee You <lee.y.y.you_at_gmail.com
> <mailto:lee.y.y.you_at_gmail.com>> wrote:
>
> Hi Alexey,
>
> Maybe it is a general question, cause, we have to convert cer
> certificates to jks keystore file(s) first before using it for the
> normal SSL accessing. But, in SNI, it is inefficient/impossible
> when there are number of the certificates in that file(s).
>
> so, we need switch to the different certificate directly in the
> SNI. There is no class to support it, we only have the
> setKeyStoreXXX in SSLContextConfigurator for the keystore.
> Currently, I am trying to use KeyStoreSpi, but I don’t know how to
> integrate it with our SNI. Here is the keyStoreSPI URL for your
> reference as below:
> http://docstore.mik.ua/orelly/java-ent/security/ch11_03.htm
>
> Meanwhile, I am also trying to overwrite the @Override [public
> NextAction handleEvent(FilterChainContext ctx, FilterChainEvent
> event)] of the SNIFilter, for switching to the matched certificate
> directly instead of the SNIServerConfigResolver,
> SSLEngineConfigurator or even more. Is that right/correct? What do
> you think of this? Do you have any good idea?
>
> Thanks!
> Lee
>
> >>>>>>>>>>>>
> Hi Lee,
>
> do I understand correctly, that now it's general Java question,
> rather
> than Grizzly, or you know how to implement what you need in Java and
> just don't know how to do the same in Grizzly?
> I don't have much experience in security area, but I remember I
> had to
> convert cer certificates to jks (using Java keytool) in order to
> use them.
>
> Thanks.
>
> WBR,
> Alexey.
>
>