[infinispan-dev] Netty SSL Context, was [Hot Rod secured by default]

Tristan Tarrant ttarrant at redhat.com
Mon Jun 5 08:02:14 EDT 2017 

Actually, WildFly 11 will allow this.
Additionally, in our restructured server, we can do whatever we want.

Tristan

On 6/5/17 12:29 PM, Sebastian Laskawiec wrote:
> We actually have more alternatives - e.g. we could use OpenSSL via 
> Boring SSL library [1]. The root problem remains the same - we can use 
> only what we obtain from the WF server. And currently we obtain 
> only JSSE SSLContext...
> 
> [1] http://netty.io/wiki/forked-tomcat-native.html
> 
> On Mon, Jun 5, 2017 at 10:34 AM Tristan Tarrant <ttarrant at redhat.com 
> <mailto:ttarrant at redhat.com>> wrote:
> 
>     We should use this:
> 
>     https://github.com/wildfly/wildfly-openssl
> 
>     Tristan
> 
>     On 6/1/17 1:17 PM, Gustavo Fernandes wrote:
>      > On Thu, Jun 1, 2017 at 10:51 AM, Sebastian Laskawiec
>      > <slaskawi at redhat.com <mailto:slaskawi at redhat.com>
>     <mailto:slaskawi at redhat.com <mailto:slaskawi at redhat.com>>> wrote:
>      >
>      >     I think I've just found the reason why we can not migrate in
>     OpenSSL
>      >     by default :(
>      >
>      >     In server scenario we obtain S*SL*Context (the one from JDK;
>     Netty
>      >     has similar S*sl*Context) from WildFly. It is already configured
>      >     along with sercurity realms, domains etc. We then get into this
>      >     branch of code [1].
>      >
>      >     In order to do fancy things like SNI we need to remap JDK's
>      >     SSLContext into Netty's SslContext and the only
>     implementation that
>      >     can consume SSLContext we have at hand is JdkSslContext.
>      >
>      >     I honestly have no idea how we could refactor this... And
>     that's a
>      >     shame because OpenSSL is way faster...
>      >
>      >
>      >
>      > I tried migrating the SSL engine to Netty's in [1] and hit the same
>      > wall. What I was told is that the SSLContext in Wildfly is now
>     (version
>      > 11?) a capability under 'org.wildfly.security.ssl-context'  and
>      > can be replaced, but I did not try doing that.
>      >
>      >
>      > [1] https://issues.jboss.org/browse/ISPN-6990
>      > <https://issues.jboss.org/browse/ISPN-6990>
>      >
>      > Gustavo
>      >
>      >
>      > _______________________________________________
>      > infinispan-dev mailing list
>      > infinispan-dev at lists.jboss.org
>     <mailto:infinispan-dev at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/infinispan-dev
>      >
> 
>     --
>     Tristan Tarrant
>     Infinispan Lead
>     JBoss, a division of Red Hat
>     _______________________________________________
>     infinispan-dev mailing list
>     infinispan-dev at lists.jboss.org <mailto:infinispan-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/infinispan-dev
> 
> -- 
> 
> SEBASTIANŁASKAWIEC
> 
> INFINISPAN DEVELOPER
> 
> Red HatEMEA <https://www.redhat.com/>
> 
> <https://red.ht/sig>
> 
> 
> 
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
> 

-- 
Tristan Tarrant
Infinispan Lead
JBoss, a division of Red Hat

More information about the infinispan-dev mailing list