Alex Milowski wrote:
On Wed, Jul 16, 2008 at 2:32 AM, Jerome Louvel <[EMAIL PROTECTED]> wrote:
Hi Alex,
I have added a paragraph on "Confidentiality" in the "Securing applications"
page covering this topic:
http://wiki.restlet.org/docs_1.1/g1/13-restlet/29-restlet/99-restlet/46-rest
let.html
At some point, it might makes sense to split up this page into several ones.
Thanks.
I think it would be good to have some ssl-specific information make its
way into the connector documentation as an example.
That is, there is a simple example here:
http://wiki.restlet.org/docs_1.1/g1/13-restlet/27-restlet/37-restlet/38-restlet.html
Maybe we could have about ssl configuration there as well. Of course, the
parameters are specific to the server helper...
Actually, using the SslContextFactory, the parameters can now be
consistent across the Grizzly, Jetty and Simple HTTPS connectors. We're
currently debating how it should be configured (see issue 489, feel free
to join in): parameters vs. instances.
I reckon that, for the DefaultSslContextFactory, parameters would
definitely make more sense. The current behaviour is to be able to pass
to its init() method a series of parameters that will more or less
follow the previous style of parameters. (It doesn't set any trust
manager, which instead use the values set in the javax.net.ssl.* system
properties as default).
The DefaultSslContextFactory wouldn't help choosing an alias. I guess it
would be feasible to have a fixed alias (in a similar way as I've done
it in jSSLutils with FixedServerAliasKeyManager -- see one of the
previous messages in this thread), but that wouldn't really help for
your initial problem, unless you use a different context per connector.
If you want to be able to use a single SSLContext between your two
sockets, you're going to need a KeyManager that is able to pick the
right alias depending on which socket is used.
In jSSLutils, the FixedServerAliasKeyManager I've implemented picks one
by always returning the same value (the one with which it's been
constructed). What we'd need for would be a way to configure such a
KeyManager so that it would look like this:
class SocketSelectorKeyManager implements X509KeyManager {
private final "SomeInformation" someInformation;
public SocketSelectorKeyManager(SomeInformation someInformation) {
this.someInformation = someInformation;
}
public String chooseServerAlias(String keyType, Principal[]
issuers, Socket socket) {
String alias = "makeSomeDecisionBasedOn"(someInformation,
socket.getLocalSocketAddress()); // (or other arguments)
return alias;
}
...
}
What "SomeInformation" and "makeSomeDecisionBasedOn" should be like
could depend on many factors. I could try to implement one of these in
jSSLutils, but I'm not sure how you'd like to be able to configure such
a KeyManager. Any preferences?
Regarding the documentation, I'm planning to document the
jSSLutils-specific settings on the jSSLutils website when I get the time
to do so (probably next week). I'll try to document the
DefaultSslContextFactory in the Restlet doc too (although I'm not sure I
have access to the wiki).
Best wishes,
Bruno.
