> From: Irving, Dave [mailto:[EMAIL PROTECTED] > > Ok, I see. However, even in this hypothetical case: Wouldn't > you just configure SSL at the port level too (not acceptor level). > Then there wouldn't be a problem. > > Sorry for probing - Im just trying to establish whether there > is any real need for exposing the whole chain on a per > connection basis. If there is, it makes this change a fair > bit more complicated :o) >
Yes, for this specific example, you may be right. But lets assume some other. Lets assume I have a port level filter configuration consisting of: threadFilter, kerberosFilter, codecFilter, and someFilterManager. Now, as part as the protocol, the client may request TLS privacy once authenticated. So, on a particular session, the client requests privacy, which means adding the SSLFilter after threadFilter and activate it. Now I want this change only for this session, not for all the sessions on this port. I cannot do SSL at the end of the chain because I need to decode first. This means I need to reconfigure the chain, just for this session. Now the current solution requires my to setup the entire chain on a session by session basis (which is really waistful as we all agree). If instead you share the chain, and only do the cloning on demand (when SSL is reqested by a session) then you can save on average. And since you have only one chain (either shared or private) at any given point in time, the implementation has to be simpler. I do not see how it may become more complicated. Jose Alberto
