synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 01:18:17 GMT
Ruwan,

Where does the requirement of using different stores come from?

Andreas

On Tue, Jul 21, 2009 at 03:15, Ruwan Linton<ruwan.linton@gmail.com> wrote:
>
>
> On Tue, Jul 21, 2009 at 6:23 AM, Andreas Veithen <andreas.veithen@gmail.com>
> wrote:
>>
>> On Tue, Jul 21, 2009 at 02:05, Ruwan Linton<ruwan.linton@gmail.com> wrote:
>> >
>> >
>> > On Mon, Jul 20, 2009 at 10:19 PM, indika kumara <indika.kuma@gmail.com>
>> > wrote:
>> >>
>> >> I am agree with asankha ,
>> >>
>> >> Requirement is to enable to represent multiple identities by synapse
>> >> itself and also call to  external services whose  identities are
>> >> different.
>> >> For first requirement it may need to expose identities at proxy
>> >> services
>> >> level. For second requirement, it may need ability to specify and use
>> >> multiple client certificates at endpoint level when calling different
>> >> external services.
>> >>
>> >> Giving Multiple SSLContexts is the scalable solution. Specially, for
>> >> the
>> >> requirement one, using reactor will not be scalable.  Even for second
>> >> requirement.
>> >>
>> >> But, it seems in the current IOreactor implementation it is only
>> >> possible
>> >> to be given one SSLContext (with IOEventDispatch).
>> >>
>> >> Seems like we need a new IOEventDispatch implementation that take Map
>> >> of
>> >> SSLContexts (or composite IOEventDispatch) and then within method,
>> >>
>> >> public void connected (final IOSession session)
>> >>
>> >> Based on information on IOSession session, pick the correct SSLContext.
>> >> I am not sure possibility of this, but Asankha or Oleg sure knows this.
>> >
>> > Asankha, Indika is correct on the above comment I guess... IOReactor has
>> > one-to-one relation ship with the SSLContext, I think that is why
>> > Hiranya
>> > wanted multiple IOReactors to support this.
>> >
>> > Is there a mechanism where you can provide multiple SSLContexts to the
>> > IOEventDispatcher?? I suggest we get the patch from Hiranya and improve
>> > it
>> > to support this scenario, since he has some working code already. WDYT?
>> >
>> > Thanks,
>> > Ruwan
>> >
>>
>> I don't think that you even need multiple SSLContexts. Choosing the
>> client certificate is the responsibility of X509(Extended)KeyManager.
>> Probably the requirement is already supported out-of-the-box by the
>> default key manager implementation. If not, the option is to implement
>> a custom version.
>
> If you need to provide the different certs through different stores
> (different JKS files), I don't think the key manager can handle that,
> because there is no way that the key manager can find different key stores
> without the user (nhttp transport) feeding it the key store.
>
> Am I missing anything?
>
> Thanks,
> Ruwan
>
>>
>> >>
>> >> Thanks
>> >> Indika
>> >>
>> >>
>> >> >
>> >> > I guess the real use case is the ability to use multiple identity
>> >> > certificates when communicating out. A usual use case is that one
>> >> > organization would need to use an identity certificate A when talking
>> >> > to
>> >> > an
>> >> > endpoint of Company A, and another identity certificate B when
>> >> > talking
>> >> > to an
>> >> > endpoint of Company B etc, when using 2-way SSL. This does not
>> >> > necessarily
>> >> > require the support for multiple keystores, unless I have missed
>> >> > something.
>> >> >
>> >> > I have not yet looked into details.. but I do not directly see the
>> >> > need
>> >> > for
>> >> > multiple IO reactors to support this.. but just multiple SSLContexts.
>> >> >
>> >> > cheers
>> >> > asankha
>> >> >
>> >> > --
>> >> > Asankha C. Perera
>> >> > AdroitLogic, http://adroitlogic.org
>> >> >
>> >> > http://esbmagic.blogspot.com
>> >> >
>> >> >
>> >> >
>> >> >
>> >>
>> >
>> >
>> >
>> > --
>> > Ruwan Linton
>> > Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb
>> > WSO2 Inc.; http://wso2.org
>> > email: ruwan@wso2.com; cell: +94 77 341 3097
>> > blog: http://ruwansblog.blogspot.com
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
>> For additional commands, e-mail: dev-help@synapse.apache.org
>>
>
>
>
> --
> Ruwan Linton
> Technical Lead & Product Manager; WSO2 ESB; http://wso2.org/esb
> WSO2 Inc.; http://wso2.org
> email: ruwan@wso2.com; cell: +94 77 341 3097
> blog: http://ruwansblog.blogspot.com
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org


Mime
View raw message