hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Handling Multiple SSL Configurations
Date Wed, 22 Jul 2009 09:24:22 GMT
On Wed, Jul 22, 2009 at 02:35:49PM +0530, Hiranya Jayathilaka wrote:
> Thanks Oleg. That pointed me in the right direction. To start with this is
> what I did.
> 
> 1. I implemented a custom IOEventDispatch extending the
> SSLClientIOEventDispatch class
> 2. In the createSSLIOSession method I used the session attributes (remote
> hostname etc) to lookup a map and select one of several existing SSLContext
> objects (SSLContext objects are initialized at startup and stored in a map)
> 3. I used the selected SSLContext to create the SSLIOSession object
> 
> This seems to be working fine. What do you think about this approach? Can
> there be any situations where this may not work.
> 
> Thanks,
> Hiranya
> 

Hi Hiranya,

Sounds reasonable. I cannot see any potential issues.

Oleg



> 
> On Wed, Jul 22, 2009 at 2:22 PM, Oleg Kalnichevski <olegk@apache.org> wrote:
> 
> > On Wed, Jul 22, 2009 at 10:39:15AM +0530, Hiranya Jayathilaka wrote:
> > > Hi Devs,
> > >
> > > I'm working on Apache Synapse which uses HTTP Core NIO. Currently out
> > HTTPS
> > > transport makes use of one SSL context (initialized from a
> > > keystore/truststore pair). We want to extend that to support multiple SSL
> > > contexts. For example when Synapse connects to server A it will use one
> > SSL
> > > context and when it connects to server B it will use another SSL context.
> > >
> > > I did an initial implementation of the above feature using multiple
> > > IOReactors (ConnectingIOReactor implementations) where each IOReactor is
> > > associated with its own IOEventDispatch and this solution works fine.
> > > However it would be great if we can do this without using multiple
> > > IOReactors. Is this achievable? What is the best way to handle multiple
> > SSL
> > > contexts with HTTP Core?
> > >
> >
> > Hiranya,
> >
> > I do not think multiple IOReactors are needed. One can use a custom
> > IOEventDispatch in order to set up SSL contexts for outgoing connections on
> > a
> > case by case basis.
> >
> > Something along this line:
> >
> > public class MySSLClientIOEventDispatch implements IOEventDispatch {
> >
> > ...
> >
> >    public void connected(final IOSession session) {
> >
> >        SSLContext sslContext;
> >
> >        InetSocketAddress remoteAddress = (InetSocketAddress)
> > session.getRemoteAddress();
> >        String hostname = remoteAddress.getHostName();
> >
> >        if (hostname.equalsIgnoreCase("host-a")) {
> >            sslContext = SSLContext.getInstance("SSLv2");
> >            sslContext.init(null, null, null);
> >        } else if (hostname.equalsIgnoreCase("host-b")) {
> >            sslContext = SSLContext.getInstance("SSLv3");
> >            sslContext.init(null, null, null);
> >        } else {
> >            sslContext = SSLContext.getInstance("TLSv1");
> >            sslContext.init(null, null, null);
> >        }
> >
> >        SSLIOSession sslSession = new SSLIOSession(session, sslContext,
> > this.sslHandler);
> >        ...
> >   }
> >
> > }
> >
> > One can provide additional configuration information to the dispatcher at
> > the
> > construction time such as DNS hostname to keystore mapping (or DNS hostname
> > to
> > cert alias mapping when using just one keystore).
> >
> > Hope this helps
> >
> > Oleg
> >
> >
> >
> > > Thanks,
> > > --
> > > Hiranya Jayathilaka
> > > Software Engineer;
> > > WSO2 Inc.;  http://wso2.org
> > > E-mail: hiranya@wso2.com;  Mobile: +94 77 633 3491
> > > Blog: http://techfeast-hiranya.blogspot.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> > For additional commands, e-mail: dev-help@hc.apache.org
> >
> >
> 
> 
> -- 
> Hiranya Jayathilaka
> Software Engineer;
> WSO2 Inc.;  http://wso2.org
> E-mail: hiranya@wso2.com;  Mobile: +94 77 633 3491
> Blog: http://techfeast-hiranya.blogspot.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message