Quantcast

problems of the SNI from Lee

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

problems of the SNI from Lee

Lee YOU

Dear Sir/Madam,

 

I am Lee. These days, I am just trying to study the SNI of Grizzly, even after read your source code of the SNITest.java, I still do not know how to let it works. Because, i do not understand:

1.     How to bind to my Grizzly HTTP server supporting the HTTPS(SSL/TLS) to proved web services?  Just using the TCPNIOTransport to bind a different port or need to bind to as same port as the Http server?

2.     Could you explain the meaning of the code with blue color as //below:

Do I need this line in my own code? 

Can I switch to different SSL server configure for their host for supporting SNI in there?

If it return null, what will be happened for that host?

//////////////////////////

ilter.setServerSSLConfigResolver(new SNIServerConfigResolver() {

 

            @Override

            public SNIConfig resolve(Connection connection, String hostname) {

                sniHostAttr.set(connection, hostname);

               

                return SNIConfig.newServerConfig(sslServerEngineConfig);

            }

        });

 

Thanks! and looking forward for your reply!

 

Best Regards,

Lee

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

oleksiys
Administrator
Hi Lee,

am I understanding correctly, you're trying to use SNI support with Grizzly HttpServer?
I am Lee. These days, I am just trying to study the SNI of Grizzly, even after read your source code of the SNITest.java, I still do not know how to let it works. Because, i do not understand:

1.     How to bind to my Grizzly HTTP server supporting the HTTPS(SSL/TLS) to proved web services?  Just using the TCPNIOTransport to bind a different port or need to bind to as same port as the Http server?

I can provide a sample by the end of the week.
The idea is to use HttpServer AddOn mechanism and update the HttpServer FilterChain to use SNIFilter instead of SSLBaseFilter.


2.     Could you explain the meaning of the code with blue color as //below

It just associates the hostname property with the connection.

Do I need this line in my own code?

no. You may want to read this value, but definitely not set it.

Can I switch to different SSL server configure for their host for supporting SNI in there?

Sure.

If it return null, what will be happened for that host?

The SNIFilter's default server SSLEngineConfigurator will be used.

Thanks

WBR,
Alexey.


//////////////////////////

ilter.setServerSSLConfigResolver(new SNIServerConfigResolver() {

 

            @Override

            public SNIConfig resolve(Connection connection, String hostname) {

                sniHostAttr.set(connection, hostname);

               

                return SNIConfig.newServerConfig(sslServerEngineConfig);

            }

        });

 

Thanks! and looking forward for your reply!

 

Best Regards,

Lee


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU
In reply to this post by Lee YOU
Hi Alexey,

Many thanks for you kindest reply. And Yes, I am trying to setup my Grizzly HttpServer provided the HTTPS services for the multi virtual host via the SNI API?

currently, I have added a NetworkListener to the httpServer & replaced the SSLBaseFilter in the filterChain of that listener by a new SNIFilter&Resolver. But, I got the NullPointerException @ SNIFilter.handleRead(SNIFilter.java:241);

Here is some part of my code, and logs for your reference as below:

// addon a https listener
        SSLEngineConfigurator ssle = new SSLEngineConfigurator(serverSslContext.createSSLContext(), false, false, false);
        NetworkListener listener = new NetworkListener("ssl", NetworkListener.DEFAULT_NETWORK_HOST, new PortRange(777));
       
        listener.setSSLEngineConfig(ssle);
        listener.setSecure(true);
        httpServer.addListener(listener);

// replace the SSLBaseFilter
FilterChain filterChain  = listener.getFilterChain();
this.sniFilter = new SNIFilter(this.sslEngineConfig, null);
if(sniServerConfigResolver instanceof SNIServerConfigResolver){
                 log.info("setupSNI and sniServerConfigResolver is:" + sniServerConfigResolver);
                 this.sniFilter.setServerSSLConfigResolver(sniServerConfigResolver);
        }
        this.outputFilters(filterChain);
       Filter sslFilter = null;
        for (int i = 0; i < filterChain.size(); i++) {
            sslFilter = filterChain.get(i);

            if (sslFilter instanceof TransportFilter) {
                log.info("setup SNI and TransportFilter is removed. ");
                filterChain.remove(i--);
                continue;
            }

            if (sslFilter instanceof SSLBaseFilter) {
                log.info("setup SNI and SSLBaseFilter is changed to be " + this.sniFilter);
                filterChain.set(i, this.sniFilter);
            }
        }

        this.outputFilters(filterChain);

//LOGS
INFO  co.iueo.server.IueoSNIService  - setupSNI and sniServerConfigResolver is:co.iueo.server.IueoSNIService$1@43bd05c9
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 0  org.glassfish.grizzly.ssl.SSLBaseFilter$SSLTransportFilterWrapper@1772594d
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 1  org.glassfish.grizzly.ssl.SSLBaseFilter@5d44bbf0
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 2  org.glassfish.grizzly.http.HttpServerFilter@14d11fff
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 3  org.glassfish.grizzly.utils.IdleTimeoutFilter@3f69d3e1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 4  org.glassfish.grizzly.http.server.FileCacheFilter@3ad44d70
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 5  org.glassfish.grizzly.websockets.WebSocketFilter@4237fae1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 6  org.glassfish.grizzly.http.server.HttpServerFilter@5e052bbf
INFO  co.iueo.server.IueoSNIService  - setup SNI and TransportFilter is removed.
INFO  co.iueo.server.IueoSNIService  - setup SNI and SSLBaseFilter is changed to be org.glassfish.grizzly.sni.SNIFilter@2f021d45
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 0  org.glassfish.grizzly.sni.SNIFilter@2f021d45
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 1  org.glassfish.grizzly.http.HttpServerFilter@14d11fff
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 2  org.glassfish.grizzly.utils.IdleTimeoutFilter@3f69d3e1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 3  org.glassfish.grizzly.http.server.FileCacheFilter@3ad44d70
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 4  org.glassfish.grizzly.websockets.WebSocketFilter@4237fae1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 5  org.glassfish.grizzly.http.server.HttpServerFilter@5e052bbf


….
java.lang.NullPointerException
    at org.glassfish.grizzly.sni.SNIFilter.handleRead(SNIFilter.java:241)
    at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
    at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
    at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)

////
This NullPointerException, might because I removed the TransportFilter of the SSLBaseFilter when replacing it.
Should I create a new TCPNIOTransport & new FilterChain instead of the NetworkListener?
If Yes, how could I get all the other Filters like HttpServerFilter, IdleTimeoutFilter…..

thanks again, having a great day!
Lee


<quote author='oleksiys'>
Hi Lee,

am I understanding correctly, you're trying to use SNI support with
Grizzly HttpServer?
I am Lee. These days, I am just trying to study the SNI of Grizzly, even
after read your source code of the SNITest.java, I still do not know how
to let it works. Because, i do not understand:
>
> 1.How to bind to my Grizzly HTTP server supporting the HTTPS(SSL/TLS)
> to proved web services?  Just using the TCPNIOTransport to bind a
> different port or need to bind to as same port as the Http server?
>
I can provide a sample by the end of the week.
The idea is to use HttpServer AddOn mechanism and update the HttpServer
FilterChain to use SNIFilter instead of SSLBaseFilter.


> 2.Could you explain the meaning of the code with blue color as //below
>
It just associates the hostname property with the connection.

> Do I need this line in my own code?
>
no. You may want to read this value, but definitely not set it.

> Can I switch to different SSL server configure for their host for
> supporting SNI in there?
>
Sure.

> If it return null, what will be happened for that host?
>
The SNIFilter's default server SSLEngineConfigurator will be used.

Thanks

WBR,
Alexey.


> //////////////////////////
>
> ilter.setServerSSLConfigResolver(new SNIServerConfigResolver() {
>
>             @Override
>
>             public SNIConfig resolve(Connection connection, String
> hostname) {
>
> */sniHostAttr.set(connection, hostname);/*
>
>                 return SNIConfig.newServerConfig(sslServerEngineConfig);
>
>             }
>
>         });
>
> Thanks! and looking forward for your reply!
>
> Best Regards,
>
> Lee
>


</quote>
Quoted from:
http://grizzly.1045725.n5.nabble.com/problems-of-the-SNI-from-Lee-tp5710686p5710694.html

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

oleksiys
Administrator
Hi Lee,

I've just added the sample:
https://java.net/projects/grizzly/sources/git/revision/ee6cff79e6f2bfcb6e079aebe3eb6b2941635d08

but unfortunately it requires some fixes I made on 2.3.x branch.
With the 2.3.18 you'll need to apply a workaround (see attached).

Hope it will help.

WBR,
Alexey.



On 30.01.15 00:38, Lee You wrote:

// addon a https listener
        SSLEngineConfigurator ssle = new SSLEngineConfigurator(serverSslContext.createSSLContext(), false, false, false);
        NetworkListener listener = new NetworkListener("ssl", NetworkListener.DEFAULT_NETWORK_HOST, new PortRange(777));
       
        listener.setSSLEngineConfig(ssle);
        listener.setSecure(true);
        httpServer.addListener(listener);

// replace the SSLBaseFilter
FilterChain filterChain  = listener.getFilterChain();
this.sniFilter = new SNIFilter(this.sslEngineConfig, null);
if(sniServerConfigResolver instanceof SNIServerConfigResolver){
                 log.info("setupSNI and sniServerConfigResolver is:" + sniServerConfigResolver);
                 this.sniFilter.setServerSSLConfigResolver(sniServerConfigResolver);
        }
        this.outputFilters(filterChain);
       Filter sslFilter = null;
        for (int i = 0; i < filterChain.size(); i++) {
            sslFilter = filterChain.get(i);

            if (sslFilter instanceof TransportFilter) {
                log.info("setup SNI and TransportFilter is removed. ");
                filterChain.remove(i--);
                continue;
            }

            if (sslFilter instanceof SSLBaseFilter) {
                log.info("setup SNI and SSLBaseFilter is changed to be " + this.sniFilter);
                filterChain.set(i, this.sniFilter);
            }
        }

        this.outputFilters(filterChain);

//LOGS
INFO  co.iueo.server.IueoSNIService  - setupSNI and sniServerConfigResolver is:co.iueo.server.IueoSNIService$1@43bd05c9
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 0  org.glassfish.grizzly.ssl.SSLBaseFilter$SSLTransportFilterWrapper@1772594d
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 1  org.glassfish.grizzly.ssl.SSLBaseFilter@5d44bbf0
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 2  org.glassfish.grizzly.http.HttpServerFilter@14d11fff
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 3  org.glassfish.grizzly.utils.IdleTimeoutFilter@3f69d3e1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 4  org.glassfish.grizzly.http.server.FileCacheFilter@3ad44d70
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 5  org.glassfish.grizzly.websockets.WebSocketFilter@4237fae1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 6  org.glassfish.grizzly.http.server.HttpServerFilter@5e052bbf
INFO  co.iueo.server.IueoSNIService  - setup SNI and TransportFilter is removed.
INFO  co.iueo.server.IueoSNIService  - setup SNI and SSLBaseFilter is changed to be org.glassfish.grizzly.sni.SNIFilter@2f021d45
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 0  org.glassfish.grizzly.sni.SNIFilter@2f021d45
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 1  org.glassfish.grizzly.http.HttpServerFilter@14d11fff
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 2  org.glassfish.grizzly.utils.IdleTimeoutFilter@3f69d3e1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 3  org.glassfish.grizzly.http.server.FileCacheFilter@3ad44d70
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 4  org.glassfish.grizzly.websockets.WebSocketFilter@4237fae1
INFO  co.iueo.server.IueoSNIService  - setup SNI and Filters in the FilterChain is 5  org.glassfish.grizzly.http.server.HttpServerFilter@5e052bbf


….
java.lang.NullPointerException
    at org.glassfish.grizzly.sni.SNIFilter.handleRead(SNIFilter.java:241)
    at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
    at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
    at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)

////
This NullPointerException, might because I removed the TransportFilter of the SSLBaseFilter when replacing it.
Should I create a new TCPNIOTransport & new FilterChain instead of the NetworkListener?
If Yes, how could I get all the other Filters like HttpServerFilter, IdleTimeoutFilter…..

thanks again, having a great day!
Lee


<quote author='oleksiys'>
Hi Lee,

am I understanding correctly, you're trying to use SNI support with
Grizzly HttpServer?
I am Lee. These days, I am just trying to study the SNI of Grizzly, even
after read your source code of the SNITest.java, I still do not know how
to let it works. Because, i do not understand:
>
> 1.How to bind to my Grizzly HTTP server supporting the HTTPS(SSL/TLS)
> to proved web services?  Just using the TCPNIOTransport to bind a
> different port or need to bind to as same port as the Http server?
>
I can provide a sample by the end of the week.
The idea is to use HttpServer AddOn mechanism and update the HttpServer
FilterChain to use SNIFilter instead of SSLBaseFilter.


> 2.Could you explain the meaning of the code with blue color as //below
>
It just associates the hostname property with the connection.

> Do I need this line in my own code?
>
no. You may want to read this value, but definitely not set it.

> Can I switch to different SSL server configure for their host for
> supporting SNI in there?
>
Sure.

> If it return null, what will be happened for that host?
>
The SNIFilter's default server SSLEngineConfigurator will be used.

Thanks

WBR,
Alexey.


> //////////////////////////
>
> ilter.setServerSSLConfigResolver(new SNIServerConfigResolver() {
>
>             @Override
>
>             public SNIConfig resolve(Connection connection, String
> hostname) {
>
> */sniHostAttr.set(connection, hostname);/*
>
>                 return SNIConfig.newServerConfig(sslServerEngineConfig);
>
>             }
>
>         });
>
> Thanks! and looking forward for your reply!
>
> Best Regards,
>
> Lee
>


</quote>
Quoted from:
http://grizzly.1045725.n5.nabble.com/problems-of-the-SNI-from-Lee-tp5710686p5710694.html



http-server-sni.zip (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU
In reply to this post by Lee YOU
Hi Alexey,

So Cool, got it, and I will try it again @next few days. 

For me, about this sample, one problem is that I can not switch the “JKS” files on my server, what I need to do is switch a number of the HTTPS(SSL/TLS) certificates(cer/crt format ) stored in Database which came form the clients issued by the different CAs, and I have no chance/ability to import/classify all of them one by one into one or two or even more different keystore files for the maintaining. 

Also, I used the setKeyStoreBytes(…)  of  SLContextConfigurator for the certificate’s bytes, it not looks like supporting that Cit/Cer format . there is no other method supported the certificates as well.  So, do you have any good ideas/best experiences about that? 

Thanks,
Lee


<quote author='oleksiys'>
Hi Lee,

I've just added the sample:

but unfortunately it requires some fixes I made on 2.3.x branch.
With the 2.3.18 you'll need to apply a workaround (see attached).

Hope it will help.

WBR,
Alexey.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

oleksiys
Administrator
Hi Lee,

do I understand correctly, that now it's general Java question, rather
than Grizzly, or you know how to implement what you need in Java and
just don't know how to do the same in Grizzly?
I don't have much experience in security area, but I remember I had to
convert cer certificates to jks (using Java keytool) in order to use them.

Thanks.

WBR,
Alexey.

On 01.02.15 03:51, Lee You wrote:

> Hi Alexey,
>
> So Cool, got it, and I will try it again @next few days.
>
> For me, about this sample, one problem is that I can not switch the
> “JKS” files on my server, what I need to do is switch a number of the
> HTTPS(SSL/TLS) certificates(cer/crt format ) stored in Database which
> came form the clients issued by the different CAs, and I have no
> chance/ability to import/classify all of them one by one into one or
> two or even more different keystore files for the maintaining.
>
> Also, I used the setKeyStoreBytes(…)  of  SLContextConfigurator for
> the certificate’s bytes, it not looks like supporting that Cit/Cer
> format . there is no other method supported the certificates as well.  
> So, do you have any good ideas/best experiences about that?
>
> Thanks,
> Lee
>
>
> <quote author='oleksiys'>
> Hi Lee,
>
> I've just added the sample:
> https://java.net/projects/grizzly/sources/git/revision/ee6cff79e6f2bfcb6e079aebe3eb6b2941635d08
>
> but unfortunately it requires some fixes I made on 2.3.x branch.
> With the 2.3.18 you'll need to apply a workaround (see attached).
>
> Hope it will help.
>
> WBR,
> Alexey.
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU
In reply to this post by Lee YOU
Hi Alexey,

Maybe it is a general question, cause, we have to convert cer certificates to jks keystore file(s) first before using it for the normal SSL accessing. But, in SNI, it is  inefficient/impossible when there are number of the certificates in that file(s). 

so, we need switch to the different certificate directly in the SNI. There is no class to support it, we only have the setKeyStoreXXX in SSLContextConfigurator for the keystore. 
Currently, I am trying to use KeyStoreSpi, but I don’t know how to integrate it with our SNI. Here is the keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the @Override [public NextAction handleEvent(FilterChainContext ctx, FilterChainEvent event)] of the SNIFilter, for switching to the matched certificate directly instead of the SNIServerConfigResolver, SSLEngineConfigurator or even more. Is that right/correct? What do you think of this? Do you have any good idea?

Thanks!
Lee

>>>>>>>>>>>>
Hi Lee, 

do I understand correctly, that now it's general Java question, rather 
than Grizzly, or you know how to implement what you need in Java and 
just don't know how to do the same in Grizzly? 
I don't have much experience in security area, but I remember I had to 
convert cer certificates to jks (using Java keytool) in order to use them. 

Thanks. 

WBR, 
Alexey. 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

oleksiys
Administrator
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.



On 02.02.15 15:36, Lee You wrote:
Hi Alexey,

Maybe it is a general question, cause, we have to convert cer certificates to jks keystore file(s) first before using it for the normal SSL accessing. But, in SNI, it is  inefficient/impossible when there are number of the certificates in that file(s). 

so, we need switch to the different certificate directly in the SNI. There is no class to support it, we only have the setKeyStoreXXX in SSLContextConfigurator for the keystore. 
Currently, I am trying to use KeyStoreSpi, but I don’t know how to integrate it with our SNI. Here is the keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the @Override [public NextAction handleEvent(FilterChainContext ctx, FilterChainEvent event)] of the SNIFilter, for switching to the matched certificate directly instead of the SNIServerConfigResolver, SSLEngineConfigurator or even more. Is that right/correct? What do you think of this? Do you have any good idea?

Thanks!
Lee

>>>>>>>>>>>>
Hi Lee, 

do I understand correctly, that now it's general Java question, rather 
than Grizzly, or you know how to implement what you need in Java and 
just don't know how to do the same in Grizzly? 
I don't have much experience in security area, but I remember I had to 
convert cer certificates to jks (using Java keytool) in order to use them. 

Thanks. 

WBR, 
Alexey. 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU
In reply to this post by Lee YOU
Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking. 

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore.  And our Grizzly will be more flexible.  

If there is any sample for it that would be great!

Thanks again!
Lee


>>>>>>>>>
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.

On 3 February 2015 at 12:36, Lee You <[hidden email]> wrote:
Hi Alexey,

Maybe it is a general question, cause, we have to convert cer certificates to jks keystore file(s) first before using it for the normal SSL accessing. But, in SNI, it is  inefficient/impossible when there are number of the certificates in that file(s). 

so, we need switch to the different certificate directly in the SNI. There is no class to support it, we only have the setKeyStoreXXX in SSLContextConfigurator for the keystore. 
Currently, I am trying to use KeyStoreSpi, but I don’t know how to integrate it with our SNI. Here is the keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the @Override [public NextAction handleEvent(FilterChainContext ctx, FilterChainEvent event)] of the SNIFilter, for switching to the matched certificate directly instead of the SNIServerConfigResolver, SSLEngineConfigurator or even more. Is that right/correct? What do you think of this? Do you have any good idea?

Thanks!
Lee

>>>>>>>>>>>>
Hi Lee, 

do I understand correctly, that now it's general Java question, rather 
than Grizzly, or you know how to implement what you need in Java and 
just don't know how to do the same in Grizzly? 
I don't have much experience in security area, but I remember I had to 
convert cer certificates to jks (using Java keytool) in order to use them. 

Thanks. 

WBR, 
Alexey. 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU

Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking. 

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore.  And our Grizzly will be more flexible.  

If there is any sample for it that would be great!

Thanks again!
Lee


>>>>>>>>>
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

oleksiys
Administrator
In reply to this post by Lee YOU
Hi Lee,

did you try to create SSLContext with custom KeyStores and then pass the SSLContext to SSLEngineConfigurator?

SSLEngineConfigurator configurator = new SSLEngineConfigurator(sslContext, false, ....);

In the custom KeyManager implementation (for example you can extend the X509ExtendedKeyManager, you can chose the alias for SSLEngine before handshake happens.
            @Override
            public String chooseEngineServerAlias(String string, Principal[] prncpls, SSLEngine ssle) {
            }

            @Override
            public String chooseEngineClientAlias(String[] strings, Principal[] prncpls, SSLEngine ssle) {
            }

Grizzly SNI Filter can pass the SNI information via sslEngine.getSession() attribute.

Want to try that way?

Thanks.

WBR,
Alexey.

On 03.02.15 00:25, Lee You wrote:
Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking. 

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore.  And our Grizzly will be more flexible.  

If there is any sample for it that would be great!

Thanks again!
Lee


>>>>>>>>>
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.

On 3 February 2015 at 12:36, Lee You <[hidden email]> wrote:
Hi Alexey,

Maybe it is a general question, cause, we have to convert cer certificates to jks keystore file(s) first before using it for the normal SSL accessing. But, in SNI, it is  inefficient/impossible when there are number of the certificates in that file(s). 

so, we need switch to the different certificate directly in the SNI. There is no class to support it, we only have the setKeyStoreXXX in SSLContextConfigurator for the keystore. 
Currently, I am trying to use KeyStoreSpi, but I don’t know how to integrate it with our SNI. Here is the keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the @Override [public NextAction handleEvent(FilterChainContext ctx, FilterChainEvent event)] of the SNIFilter, for switching to the matched certificate directly instead of the SNIServerConfigResolver, SSLEngineConfigurator or even more. Is that right/correct? What do you think of this? Do you have any good idea?

Thanks!
Lee

>>>>>>>>>>>>
Hi Lee, 

do I understand correctly, that now it's general Java question, rather 
than Grizzly, or you know how to implement what you need in Java and 
just don't know how to do the same in Grizzly? 
I don't have much experience in security area, but I remember I had to 
convert cer certificates to jks (using Java keytool) in order to use them. 

Thanks. 

WBR, 
Alexey. 


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU
In reply to this post by Lee YOU

Hi Alexey,


I coded a custom KeyManager, luckily, it is works.


But, when I was trying to code a custom TrustManager  is failed. And, when changing the way to the original one(using TrustStore File Only) from your sample:

1)    serverSslContext.setTrustStoreFile(..) , .setTrustStorePass(…),

2)    context = serverSslContext.createSSLContext();

3)    new SSLEngineConfigurator(context, false, false, false);

 

it is still failed. Is there something I missed?


*** the .crt imported in the TrustStore  and the browser trusted it already***


Thanks 

Lee



On 3 February 2015 at 21:25, Lee You <[hidden email]> wrote:
Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking. 

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore.  And our Grizzly will be more flexible.  

If there is any sample for it that would be great!

Thanks again!
Lee


>>>>>>>>>
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU
Thank you Alexey,

I coded a custom KeyManager, luckily, it is works.

But, when I was trying to code a custom TrustManager  is failed. And, then changing the way to the original one(using TrustStore File Only) :
1)    serverSslContext.setTrustStoreFile(..) , .setTrustStorePass(…),

2)    context = serverSslContext.createSSLContext();

3)    new SSLEngineConfigurator(context, false, false, false);

 
it is still failed. Is there something I missed?

*** the .crt imported into the TrustStore  and the browser trusted it already***

Thanks 
Lee



<quote author='oleksiys'>
Hi Lee,

did you try to create SSLContext with custom KeyStores and then pass the 
SSLContext to SSLEngineConfigurator?

SSLEngineConfigurator configurator = new 
SSLEngineConfigurator(sslContext, false, ....);

In the custom KeyManager implementation (for example you can extend the 
X509ExtendedKeyManager, you can chose the alias for SSLEngine before 
handshake happens.
             @Override
             public String chooseEngineServerAlias(String string, 
Principal[] prncpls, SSLEngine ssle) {
             }

             @Override
             public String chooseEngineClientAlias(String[] strings, 
Principal[] prncpls, SSLEngine ssle) {
             }

Grizzly SNI Filter can pass the SNI information via 
sslEngine.getSession() attribute.

Want to try that way?

Thanks.

WBR,
Alexey.



On 5 February 2015 at 15:37, Lee You <[hidden email]> wrote:

Hi Alexey,


I coded a custom KeyManager, luckily, it is works.


But, when I was trying to code a custom TrustManager  is failed. And, when changing the way to the original one(using TrustStore File Only) from your sample:

1)    serverSslContext.setTrustStoreFile(..) , .setTrustStorePass(…),

2)    context = serverSslContext.createSSLContext();

3)    new SSLEngineConfigurator(context, false, false, false);

 

it is still failed. Is there something I missed?


*** the .crt imported in the TrustStore  and the browser trusted it already***


Thanks 

Lee



On 3 February 2015 at 21:25, Lee You <[hidden email]> wrote:
Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking. 

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore.  And our Grizzly will be more flexible.  

If there is any sample for it that would be great!

Thanks again!
Lee


>>>>>>>>>
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

oleksiys
Administrator
Can you pls. share the code (via github?)

Thanks.

WBR,
Alexey.

On 04.02.15 18:46, Lee You wrote:
Thank you Alexey,

I coded a custom KeyManager, luckily, it is works.

But, when I was trying to code a custom TrustManager  is failed. And, then changing the way to the original one(using TrustStore File Only) :
1)    serverSslContext.setTrustStoreFile(..) , .setTrustStorePass(…),

2)    context = serverSslContext.createSSLContext();

3)    new SSLEngineConfigurator(context, false, false, false);

 
it is still failed. Is there something I missed?

*** the .crt imported into the TrustStore  and the browser trusted it already***

Thanks 
Lee



<quote author='oleksiys'>
Hi Lee,

did you try to create SSLContext with custom KeyStores and then pass the 
SSLContext to SSLEngineConfigurator?

SSLEngineConfigurator configurator = new 
SSLEngineConfigurator(sslContext, false, ....);

In the custom KeyManager implementation (for example you can extend the 
X509ExtendedKeyManager, you can chose the alias for SSLEngine before 
handshake happens.
             @Override
             public String chooseEngineServerAlias(String string, 
Principal[] prncpls, SSLEngine ssle) {
             }

             @Override
             public String chooseEngineClientAlias(String[] strings, 
Principal[] prncpls, SSLEngine ssle) {
             }

Grizzly SNI Filter can pass the SNI information via 
sslEngine.getSession() attribute.

Want to try that way?

Thanks.

WBR,
Alexey.



On 5 February 2015 at 15:37, Lee You <[hidden email]> wrote:

Hi Alexey,


I coded a custom KeyManager, luckily, it is works.


But, when I was trying to code a custom TrustManager  is failed. And, when changing the way to the original one(using TrustStore File Only) from your sample:

1)    serverSslContext.setTrustStoreFile(..) , .setTrustStorePass(…),

2)    context = serverSslContext.createSSLContext();

3)    new SSLEngineConfigurator(context, false, false, false);

 

it is still failed. Is there something I missed?


*** the .crt imported in the TrustStore  and the browser trusted it already***


Thanks 

Lee



On 3 February 2015 at 21:25, Lee You <[hidden email]> wrote:
Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking. 

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore.  And our Grizzly will be more flexible.  

If there is any sample for it that would be great!

Thanks again!
Lee


>>>>>>>>>
Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

Lee YOU
In reply to this post by Lee YOU
Hi Alexey,

here is just a few lines for the TrustStore as /////below: i missed something?

///////////////////////////
            final String keystoreName = "loopbackdns.keystore";
            final String keystorePass = "michaelpwd";
            final String truststoreName = "truststore.jks";
            final String truststorePass = "loopbackdns";

            SSLContextConfigurator serverSslContext = new SSLContextConfigurator();

            // Set key store
            URL keystoreUrl = cl.getResource(keystoreName);
            log.info(" keystoreURL:" + keystoreUrl);
            URL truststoreUrl = cl.getResource(truststoreName);
            log.info(" truststoreURL:" + truststoreUrl);
            
            keystoreUrl = null;  // only using the truststore
            if (keystoreUrl != null) {
                serverSslContext.setKeyStoreFile(keystoreUrl.getFile());
                serverSslContext.setKeyStorePass(keystorePass);
            }

            if (truststoreUrl != null) {
                serverSslContext.setTrustStoreFile(truststoreUrl.getFile());
                serverSslContext.setTrustStorePass(truststorePass);
            }

            this.sslDefEngineConfig = new SSLEngineConfigurator(serverSslContext.createSSLContext(), false, false, false);
///////////////////////////

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problems of the SNI from Lee

oleksiys
Administrator
Hi Lee,

looks fine to me.
Can you share the entire project (at least SNI/TLS part of it) so we can reproduce the problem and try to resolve.
Then we can use this project as part of "how to".

Thank you.

WBR,
Alexey.

On 05.02.15 15:02, Lee You wrote:
Hi Alexey,

here is just a few lines for the TrustStore as /////below: i missed something?

///////////////////////////
            final String keystoreName = "loopbackdns.keystore";
            final String keystorePass = "michaelpwd";
            final String truststoreName = "truststore.jks";
            final String truststorePass = "loopbackdns";

            SSLContextConfigurator serverSslContext = new SSLContextConfigurator();

            // Set key store
            URL keystoreUrl = cl.getResource(keystoreName);
            log.info(" keystoreURL:" + keystoreUrl);
            URL truststoreUrl = cl.getResource(truststoreName);
            log.info(" truststoreURL:" + truststoreUrl);
            
            keystoreUrl = null;  // only using the truststore
            if (keystoreUrl != null) {
                serverSslContext.setKeyStoreFile(keystoreUrl.getFile());
                serverSslContext.setKeyStorePass(keystorePass);
            }

            if (truststoreUrl != null) {
                serverSslContext.setTrustStoreFile(truststoreUrl.getFile());
                serverSslContext.setTrustStorePass(truststorePass);
            }

            this.sslDefEngineConfig = new SSLEngineConfigurator(serverSslContext.createSSLContext(), false, false, false);
///////////////////////////


Loading...