Hi all,
Bruno Harbulot wrote:
1. We assume there's going to be a single SSLContext common to all
servers of the component created via an SslContextFactory (it's set up
in the Context of the Component).
In theory, it should be possible to set up the SSLContext to use a
custom X509KeyManager [1] that implements chooseServerAlias(String
keyType, Principal issuers, Socket socket) to choose the appropriate
alias depending on the listening socket that is used.
Unfortunately, I've tried, and the "socket" passed to that method is
temporary socket that has almost the same characteristics as the actual
one, but not all, especially not the local address, which is what we
would need. I've just talked about it with the OpenJDK security team
[2], but I wouldn't expect a fix in the mainstream JVMs any time soon.
Sorry, what I've said was wrong. It can work. There is a second call
during the SSL handshake during accept, as discussed in this thread [2].
Therefore, it would be possible to choose an alias based on the actual
socket and its local address.
Essentially, it's now a matter of providing a way to configure this:
chooseServerAlias(String keyType, Principal issuers, Socket socket)
Best wishes,
Bruno.
[1]
http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/X509KeyManager.html
[2]
http://mail.openjdk.java.net/pipermail/security-dev/2008-July/000225.html
