Hi Bruno, Regarding the wiki, you don't seem to be registered. See the instructions here to become an author: http://wiki.restlet.org/about/2-restlet.html
Best regards, Jerome -----Message d'origine----- De : news [mailto:[EMAIL PROTECTED] De la part de Bruno Harbulot Envoyé : vendredi 18 juillet 2008 17:48 À : [email protected] Objet : Re: SSL + Virtual Hosts and Issue #489? Alex Milowski wrote: > On Wed, Jul 16, 2008 at 2:32 AM, Jerome Louvel <[EMAIL PROTECTED]> wrote: >> Hi Alex, >> >> I have added a paragraph on "Confidentiality" in the "Securing applications" >> page covering this topic: >> http://wiki.restlet.org/docs_1.1/g1/13-restlet/29-restlet/99-restlet/46-rest >> let.html >> >> At some point, it might makes sense to split up this page into several ones. > > Thanks. > > I think it would be good to have some ssl-specific information make its > way into the connector documentation as an example. > > That is, there is a simple example here: > > http://wiki.restlet.org/docs_1.1/g1/13-restlet/27-restlet/37-restlet/38-rest let.html > > Maybe we could have about ssl configuration there as well. Of course, the > parameters are specific to the server helper... Actually, using the SslContextFactory, the parameters can now be consistent across the Grizzly, Jetty and Simple HTTPS connectors. We're currently debating how it should be configured (see issue 489, feel free to join in): parameters vs. instances. I reckon that, for the DefaultSslContextFactory, parameters would definitely make more sense. The current behaviour is to be able to pass to its init() method a series of parameters that will more or less follow the previous style of parameters. (It doesn't set any trust manager, which instead use the values set in the javax.net.ssl.* system properties as default). The DefaultSslContextFactory wouldn't help choosing an alias. I guess it would be feasible to have a fixed alias (in a similar way as I've done it in jSSLutils with FixedServerAliasKeyManager -- see one of the previous messages in this thread), but that wouldn't really help for your initial problem, unless you use a different context per connector. If you want to be able to use a single SSLContext between your two sockets, you're going to need a KeyManager that is able to pick the right alias depending on which socket is used. In jSSLutils, the FixedServerAliasKeyManager I've implemented picks one by always returning the same value (the one with which it's been constructed). What we'd need for would be a way to configure such a KeyManager so that it would look like this: class SocketSelectorKeyManager implements X509KeyManager { private final "SomeInformation" someInformation; public SocketSelectorKeyManager(SomeInformation someInformation) { this.someInformation = someInformation; } public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { String alias = "makeSomeDecisionBasedOn"(someInformation, socket.getLocalSocketAddress()); // (or other arguments) return alias; } ... } What "SomeInformation" and "makeSomeDecisionBasedOn" should be like could depend on many factors. I could try to implement one of these in jSSLutils, but I'm not sure how you'd like to be able to configure such a KeyManager. Any preferences? Regarding the documentation, I'm planning to document the jSSLutils-specific settings on the jSSLutils website when I get the time to do so (probably next week). I'll try to document the DefaultSslContextFactory in the Restlet doc too (although I'm not sure I have access to the wiki). Best wishes, Bruno.
