Hi Alex and Bruno, My understanding is that Alex wants this: - a single server socket accepting all HTTP requests - several SSL certificates selected depending on the matching virtual host
I think this can't be done because in order to determine the virtual host, you need to have read and parsed the HTTP request headers to get the "Host" one. You can only do that if you already use the certificate to read the incoming SSL stream. So, it seems that the only solution is to have two listening server sockets and then two Restlet server connectors. Bruno's solution would let you share the same certificate store by selecting the alias based on the actual socket used, but you still need two sockets. If you want to use HTTPS's default port, that means that you need two separate IP addresses, at least virtual IP addresses. Let me know if I missed something. Best regards, Jerome -----Message d'origine----- De : news [mailto:[EMAIL PROTECTED] De la part de Bruno Harbulot Envoyé : jeudi 10 juillet 2008 13:58 À : discuss@restlet.tigris.org Objet : Re: SSL + Virtual Hosts and Issue #489? Hi all, Bruno Harbulot wrote: > 1. We assume there's going to be a single SSLContext common to all > servers of the component created via an SslContextFactory (it's set up > in the Context of the Component). > > In theory, it should be possible to set up the SSLContext to use a > custom X509KeyManager [1] that implements chooseServerAlias(String > keyType, Principal issuers, Socket socket) to choose the appropriate > alias depending on the listening socket that is used. > Unfortunately, I've tried, and the "socket" passed to that method is > temporary socket that has almost the same characteristics as the actual > one, but not all, especially not the local address, which is what we > would need. I've just talked about it with the OpenJDK security team > [2], but I wouldn't expect a fix in the mainstream JVMs any time soon. Sorry, what I've said was wrong. It can work. There is a second call during the SSL handshake during accept, as discussed in this thread [2]. Therefore, it would be possible to choose an alias based on the actual socket and its local address. Essentially, it's now a matter of providing a way to configure this: chooseServerAlias(String keyType, Principal issuers, Socket socket) Best wishes, Bruno. > [1] > http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/X509KeyManager.html > [2] > http://mail.openjdk.java.net/pipermail/security-dev/2008-July/000225.html
