Re: SSL Support (Jetty, Tomcat & others)

Sat, 13 Aug 2005 09:33:14 -0700

I would also like to see a central key manager and started to look at it a while ago; it turned out to be non-trivial so I bailed. The problem was that many of the javax.net.ssl classes are abstract classes and not interfaces which made proxying them difficult.
I had planned to come back to this taking a different tack. Instead of exposing the low-level j.n.ssl interface I was considering a higher level interface more suited to the uses of other components. 


For example, one of the services provided would be one that returned a 
SSLServerSocketFactory that could be used by the connectors; in Jetty's 
case I think that can be done easily by subclassing SslListener and 
overriding its createFactory() method, I don't know if something similar 
can be done for Tomcat.



One thing we MUST be really careful of is not exposing sensitive 
information. For example, I would be very troubled by something that 
provided easy access to the server's private key.


--
Jeremy

Aaron Mulder wrote:

	So we heard earlier from the TriFork guys that they'd prefer if 
Geronimo had a generic Keystore service.  I notice that Jetty and Tomcat 
have HTTPS support requiring Keystore configuration as well, and it 
doesn't seem to make a ton of sense to me to repeat all the settings in 
each HTTPS/SSL interface (unless you want them to be different).  This 
isn't super-onerous because normally you don't have that many, but I can 
see the attraction of a centralized Leystore service.


        If we provide a Keystore GBean, how would Jetty and Tomcat be able
to take advantage of it?  It seems that if the Keystore GBean was just a
centralized place to access Keystore settings, the answer would be obvious
(the SSL web connectors could just say KeystoreGBean.getKeystoreFile(),
KeystoreGBean.getKeystorePassword(), etc.).  But if the KeystoreGBean
instead only used the config settings internally and its external API
instead provided access directly to the server keys and CA certs, it's not
clear to me whether the Tomcat and Jetty HTTPS connectors could operate on

that basis (KeystoreGBean.getServerPrivateKey(), 
KeystoreGBean.getCACerts(), etc.).



	Any thoughts from the people who are more familiar with the web 
containers?


Thanks,
        Aaron
















    











					Reply via email to