synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 09:22:20 GMT
On Tue, Jul 21, 2009 at 09:42:00AM +0530, Hiranya Jayathilaka wrote:
> Hi Indika,
> 
> On Mon, Jul 20, 2009 at 10:19 PM, indika kumara <indika.kuma@gmail.com>wrote:
> 
> > I am agree with asankha ,
> >
> > Requirement is to enable to represent multiple identities by synapse itself
> > and also call to  external services whose  identities are different. For
> > first requirement it may need to expose identities at proxy services level.
> > For second requirement, it may need ability to specify and use multiple
> > client certificates at endpoint level when calling different external
> > services.
> >
> > Giving Multiple SSLContexts is the scalable solution. Specially, for the
> > requirement one, using reactor will not be scalable.  Even for second
> > requirement.
> >
> > But, it seems in the current IOreactor implementation it is only possible
> > to be given one SSLContext (with IOEventDispatch).
> >
> > Seems like we need a new IOEventDispatch implementation that take Map of
> > SSLContexts (or composite IOEventDispatch) and then within method,
> 
> 
> +1 to this approach. I think this is the best possible solution if it's
> doable.
> 
> Thanks,
> Hiranya
> 
> 

Custom IOEventDispatch is the way to go. Essentially all you want is ability to
create a specific SSL context for each newly IOSession based on a particular
set of criteria such as remote peer's IP or DNS name.

Cheers

Oleg


> >
> >
> > *public void connected (final IOSession session)*
> >
> > Based on information on IOSession session, pick the correct SSLContext.   I
> > am not sure possibility of this, but Asankha or Oleg sure knows this.
> >
> > Thanks
> > Indika
> >
> >
> > >
> > > I guess the real use case is the ability to use multiple identity
> > > certificates when communicating out. A usual use case is that one
> > > organization would need to use an identity certificate A when talking to
> > an
> > > endpoint of Company A, and another identity certificate B when talking to
> > an
> > > endpoint of Company B etc, when using 2-way SSL. This does not
> > necessarily
> > > require the support for multiple keystores, unless I have missed
> > something.
> > >
> > > I have not yet looked into details.. but I do not directly see the need
> > for
> > > multiple IO reactors to support this.. but just multiple SSLContexts.
> > >
> > > cheers
> > > asankha
> > >
> > > --
> > > Asankha C. Perera
> > > AdroitLogic, http://adroitlogic.org
> > >
> > > http://esbmagic.blogspot.com
> > >
> > >
> > >
> > >
> >
> >
> 
> 
> -- 
> Hiranya Jayathilaka
> Software Engineer;
> WSO2 Inc.;  http://wso2.org
> E-mail: hiranya@wso2.com;  Mobile: +94 77 633 3491
> Blog: http://techfeast-hiranya.blogspot.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org


Mime
View raw message