On Thu, Jun 1, 2017 at 10:51 AM, Sebastian Laskawiec <slaskawi(a)redhat.com>
wrote:
I think I've just found the reason why we can not migrate in
OpenSSL by
default :(
In server scenario we obtain S*SL*Context (the one from JDK; Netty has
similar S*sl*Context) from WildFly. It is already configured along with
sercurity realms, domains etc. We then get into this branch of code [1].
In order to do fancy things like SNI we need to remap JDK's SSLContext
into Netty's SslContext and the only implementation that can consume
SSLContext we have at hand is JdkSslContext.
I honestly have no idea how we could refactor this... And that's a shame
because OpenSSL is way faster...
I tried migrating the SSL engine to Netty's in [1] and hit the same wall.
What I was told is that the SSLContext in Wildfly is now (version 11?) a
capability under 'org.wildfly.security.ssl-context' and
can be replaced, but I did not try doing that.
[1]
https://issues.jboss.org/browse/ISPN-6990
Gustavo