<div dir="ltr">We actually have more alternatives - e.g. we could use OpenSSL via Boring SSL library [1]. The root problem remains the same - we can use only what we obtain from the WF server. And currently we obtain only JSSE SSLContext...<div><br></div><div><div>[1] <a href="http://netty.io/wiki/forked-tomcat-native.html">http://netty.io/wiki/forked-tomcat-native.html</a><br><br><div class="gmail_quote"><div dir="ltr">On Mon, Jun 5, 2017 at 10:34 AM Tristan Tarrant &lt;<a href="mailto:ttarrant@redhat.com">ttarrant@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We should use this:<br>
<br>
<a href="https://github.com/wildfly/wildfly-openssl" rel="noreferrer" target="_blank">https://github.com/wildfly/wildfly-openssl</a><br>
<br>
Tristan<br>
<br>
On 6/1/17 1:17 PM, Gustavo Fernandes wrote:<br>
&gt; On Thu, Jun 1, 2017 at 10:51 AM, Sebastian Laskawiec<br>
&gt; &lt;<a href="mailto:slaskawi@redhat.com" target="_blank">slaskawi@redhat.com</a> &lt;mailto:<a href="mailto:slaskawi@redhat.com" target="_blank">slaskawi@redhat.com</a>&gt;&gt; wrote:<br>
&gt;<br>
&gt;     I think I&#39;ve just found the reason why we can not migrate in OpenSSL<br>
&gt;     by default :(<br>
&gt;<br>
&gt;     In server scenario we obtain S*SL*Context (the one from JDK; Netty<br>
&gt;     has similar S*sl*Context) from WildFly. It is already configured<br>
&gt;     along with sercurity realms, domains etc. We then get into this<br>
&gt;     branch of code [1].<br>
&gt;<br>
&gt;     In order to do fancy things like SNI we need to remap JDK&#39;s<br>
&gt;     SSLContext into Netty&#39;s SslContext and the only implementation that<br>
&gt;     can consume SSLContext we have at hand is JdkSslContext.<br>
&gt;<br>
&gt;     I honestly have no idea how we could refactor this... And that&#39;s a<br>
&gt;     shame because OpenSSL is way faster...<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; I tried migrating the SSL engine to Netty&#39;s in [1] and hit the same<br>
&gt; wall. What I was told is that the SSLContext in Wildfly is now (version<br>
&gt; 11?) a capability under &#39;org.wildfly.security.ssl-context&#39;  and<br>
&gt; can be replaced, but I did not try doing that.<br>
&gt;<br>
&gt;<br>
&gt; [1] <a href="https://issues.jboss.org/browse/ISPN-6990" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/ISPN-6990</a><br>
&gt; &lt;<a href="https://issues.jboss.org/browse/ISPN-6990" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/ISPN-6990</a>&gt;<br>
&gt;<br>
&gt; Gustavo<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; infinispan-dev mailing list<br>
&gt; <a href="mailto:infinispan-dev@lists.jboss.org" target="_blank">infinispan-dev@lists.jboss.org</a><br>
&gt; <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/infinispan-dev</a><br>
&gt;<br>
<br>
--<br>
Tristan Tarrant<br>
Infinispan Lead<br>
JBoss, a division of Red Hat<br>
_______________________________________________<br>
infinispan-dev mailing list<br>
<a href="mailto:infinispan-dev@lists.jboss.org" target="_blank">infinispan-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/infinispan-dev</a><br>
</blockquote></div></div></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr"><p class="inbox-inbox-fullname-container" style="box-sizing:border-box;color:rgb(0,0,0);font-family:overpass,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span class="inbox-inbox-firstname-container" style="box-sizing:border-box">SEBASTIAN</span><span class="inbox-inbox-Apple-converted-space"> </span><span class="inbox-inbox-lastname-container" style="box-sizing:border-box">ŁASKAWIEC</span></p><p class="inbox-inbox-position-container" style="box-sizing:border-box;color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span class="inbox-inbox-position" style="box-sizing:border-box">INFINISPAN DEVELOPER</span></p><p class="inbox-inbox-legal-container" style="box-sizing:border-box;font-family:overpass,sans-serif;margin:0px;font-size:10px;color:rgb(153,153,153)"><a class="inbox-inbox-redhat-anchor" href="https://www.redhat.com/" target="_blank" style="box-sizing:border-box;color:rgb(0,136,206);margin:0px;text-decoration:none">Red Hat<span class="inbox-inbox-Apple-converted-space"> </span><span style="box-sizing:border-box">EMEA</span></a></p><table border="0" style="box-sizing:border-box;color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:medium"><tbody style="box-sizing:border-box"><tr style="box-sizing:border-box"><td width="100px" style="box-sizing:border-box"><a href="https://red.ht/sig" style="box-sizing:border-box"><img width="90" height="auto" style="box-sizing: border-box;" src="https://www.redhat.com/files/brand/email/sig-redhat.png"></a></td></tr></tbody></table></div></div>