Re: [jruby-dev] Problem and solution in OpenSSL (Attn: Bill)

Sat, 01 Dec 2007 02:49:09 -0800 

Charles Oliver Nutter wrote:

Charles Oliver Nutter wrote:

SSLEngine and friends are going to be a problem.



After looking a bit more, it seems like the SSL socket stuff is 
largely independent of BC. A new SSLContext is requested with 
SSLContext.getInstance("SSL"), not by specifying a specific provider 
with SSLContext.getInstance("SSL", "BC"). I removed the line in 
OpenSSLReal that registers BC and was able to connect to an https site 
with net/https. And as a final test, I removed BC from the jopenssl 
Class-Path manifeset, disabled binding of all but the 
SSLSocket-related classes and modules, and it still worked.



So it seems like we really have two separate pieces here in 
JRuby-OpenSSL: one to provide all the encryption, key, cert, and so on 
capabilities one would need to implement one's own file or 
stream-based encryption logic, and a pre-build SSL socket 
implementation. The former is dependent on BC; the latter is not.



Ola, please jump in any time and confirm this. It seems like if we can 
get SSL sockets working without BC present that would be a huge way to 
simplify this problem in the near term while we work on making the 
rest of jopenssl use BC's lightweight APIs directly.

OK,


As far as I know, it's largely independent, BUT the SSL stuff in Java 
usually needs the export restricted stuff installed. That's where the 
advantage of using BC comes in, since users wouldn't need to actually 
install extra stuff to get it working.



But actually, I would say we can get away with using the existing stuff 
- since we can actually use the other SSLContext.getInstance(String, 
Provider) method instead.


I'll investigate and see what can be done.

--

Ola Bini (http://ola-bini.blogspot.com) 
JRuby Core Developer

Developer, ThoughtWorks Studios (http://studios.thoughtworks.com)
Practical JRuby on Rails (http://apress.com/book/view/9781590598818)

"Yields falsehood when quined" yields falsehood when quined.



---------------------------------------------------------------------
To unsubscribe from this list please visit:

   http://xircles.codehaus.org/manage_email























					Reply via email to