synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruwan Linton <ruwan.lin...@gmail.com>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 01:15:19 GMT
On Tue, Jul 21, 2009 at 6:23 AM, Andreas Veithen
<andreas.veithen@gmail.com>wrote:

> On Tue, Jul 21, 2009 at 02:05, Ruwan Linton<ruwan.linton@gmail.com> wrote:
> >
> >
> > On Mon, Jul 20, 2009 at 10:19 PM, indika kumara <indika.kuma@gmail.com>
> > wrote:
> >>
> >> I am agree with asankha ,
> >>
> >> Requirement is to enable to represent multiple identities by synapse
> >> itself and also call to  external services whose  identities are
> different.
> >> For first requirement it may need to expose identities at proxy services
> >> level. For second requirement, it may need ability to specify and use
> >> multiple client certificates at endpoint level when calling different
> >> external services.
> >>
> >> Giving Multiple SSLContexts is the scalable solution. Specially, for the
> >> requirement one, using reactor will not be scalable.  Even for second
> >> requirement.
> >>
> >> But, it seems in the current IOreactor implementation it is only
> possible
> >> to be given one SSLContext (with IOEventDispatch).
> >>
> >> Seems like we need a new IOEventDispatch implementation that take Map of
> >> SSLContexts (or composite IOEventDispatch) and then within method,
> >>
> >> public void connected (final IOSession session)
> >>
> >> Based on information on IOSession session, pick the correct SSLContext.
> >> I am not sure possibility of this, but Asankha or Oleg sure knows this.
> >
> > Asankha, Indika is correct on the above comment I guess... IOReactor has
> > one-to-one relation ship with the SSLContext, I think that is why Hiranya
> > wanted multiple IOReactors to support this.
> >
> > Is there a mechanism where you can provide multiple SSLContexts to the
> > IOEventDispatcher?? I suggest we get the patch from Hiranya and improve
> it
> > to support this scenario, since he has some working code already. WDYT?
> >
> > Thanks,
> > Ruwan
> >
>
> I don't think that you even need multiple SSLContexts. Choosing the
> client certificate is the responsibility of X509(Extended)KeyManager.
> Probably the requirement is already supported out-of-the-box by the
> default key manager implementation. If not, the option is to implement
> a custom version.


If you need to provide the different certs through different stores
(different JKS files), I don't think the key manager can handle that,
because there is no way that the key manager can find different key stores
without the user (nhttp transport) feeding it the key store.

Am I missing anything?

Thanks,
Ruwan


>
>
> >>
> >> Thanks
> >> Indika
> >>
> >>
> >> >
> >> > I guess the real use case is the ability to use multiple identity
> >> > certificates when communicating out. A usual use case is that one
> >> > organization would need to use an identity certificate A when talking
> to
> >> > an
> >> > endpoint of Company A, and another identity certificate B when talking
> >> > to an
> >> > endpoint of Company B etc, when using 2-way SSL. This does not
> >> > necessarily
> >> > require the support for multiple keystores, unless I have missed
> >> > something.
> >> >
> >> > I have not yet looked into details.. but I do not directly see the
> need
> >> > for
> >> > multiple IO reactors to support this.. but just multiple SSLContexts.
> >> >
> >> > cheers
> >> > asankha
> >> >
> >> > --
> >> > Asankha C. Perera
> >> > AdroitLogic, http://adroitlogic.org
> >> >
> >> > http://esbmagic.blogspot.com
> >> >
> >> >
> >> >
> >> >
> >>
> >
> >
> >
> > --
> > Ruwan Linton
> > Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb
> > WSO2 Inc.; http://wso2.org
> > email: ruwan@wso2.com; cell: +94 77 341 3097
> > blog: http://ruwansblog.blogspot.com
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> For additional commands, e-mail: dev-help@synapse.apache.org
>
>


-- 
Ruwan Linton
Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb
WSO2 Inc.; http://wso2.org
email: ruwan@wso2.com; cell: +94 77 341 3097
blog: http://ruwansblog.blogspot.com

Mime
View raw message