Hi Alex,
Alex Milowski wrote:
On Wed, Jul 2, 2008 at 7:45 AM, Bruno Harbulot
<[EMAIL PROTECTED]> wrote:
Hi Alex,
Any particular reason why you would need two pairs of private
key/certificates in the same keystore in practice? If you want to use two
certificates, you're going to have to configure two connectors anyway, so I
would imagine having two keystore files is not necessarily a major problem.
No particular reason. In fact, the lesson I learned here was not to
keep them in the
same keystore.
[...] This being said, it's not
something I've tried extensively, but it should be possible to write a
relatively simple wrapper that helps you pick a given alias based on the
hostname of the socket.
OK. Eventually I'm going to need this... :)
I'm not sure you would actually need this if you can keep a single
identity (private key + certificate + perhaps chain of CA certificates)
per keystore. However, I too would be interested in seeing this,
especially when Apple fix their KeychainStore implementation (I'm not
sure when this may be).
Why can't we set properties on the VirtualHost instance as to what alias and
what keystore should be used for SSL transport?
There can only be one certificate per IP address (unless using a
different port), thus one certificate per connector. (An exception to
this would be to use something like what GnuTLS does [1], but I've never
seen it used in practice. I'm not sure at all how browsers and other
clients support that sort of negotiation.)
Assuming you'd want to do this on a Connector rather than on a
VirtualHost, this would still have to be implemented in the KeyManager
(and thus in the SSLContext). I'll try to make things progress on the
Jetty side and/or find another solution soon. I'm not sure when the
Restlet 1.1 RC1 is due for, but I haven't had much spare time for this
recently.
Cheers,
Bruno.
[1]
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
