On Thu, Jun 1, 2017 at 10:51 AM, Sebastian Laskawiec <slaskawi@redhat.com> wrote:

I think I've just found the reason why we can not migrate in OpenSSL by default :(

In server scenario we obtain SSLContext (the one from JDK; Netty has similar SslContext) from WildFly. It is already configured along with sercurity realms, domains etc. We then get into this branch of code [1].

In order to do fancy things like SNI we need to remap JDK's SSLContext into Netty's SslContext and the only implementation that can consume SSLContext we have at hand is JdkSslContext.

I honestly have no idea how we could refactor this... And that's a shame because OpenSSL is way faster...

I tried migrating the SSL engine to Netty's in [1] and hit the same wall. What I was told is that the SSLContext in Wildfly is now (version 11?) a capability under 'org.wildfly.security.ssl-context' and

can be replaced, but I did not try doing that.

[1] https://issues.jboss.org/browse/ISPN-6990

Gustavo