I am in the middle of adding some security features which is being ported over from a Jetty security context. Jetty has the ability to better control and configure the SSLEngine. Undertow does have a pretty good API for changing the basic SSLEngine configuration (when things are static) but lacks a few features. There are a few stories/issues related to improvements in this area and thought I would offer my 2 cents since I am actually having to implement this myself right now:
This issue does offer some interesting ideas like providing ability to configure SSLEngine via some options or even extending/decorating SSLContext. This would work assuming the following issue is resolved:
Since the Undertow application layer options could override anything in SSLEngine that SSLContextSpi initially configured, I opted to just extend Undertow code as follows:
1. Expose the channels list instance in Undertow so I can iterate through the servers when dynamic properties change on the fly. Client auth mode is the main reason. Basically copied the Undertow class and updated a few things.
2. For more versatility, I created an option which allows for customization during the accept channel phase in the form of a callback event. One call back just before the SSLEngine is created and initialized. This allows one to dynamically change the Undertow options (UndertowAcceptingSslChannel) if needed. Another callback just after the initial settings are changed but before the ssl connection is created and accept is returned to the listener. This was quite easy to do but had to subclass the following classes:
a. UndertowAcceptingSslChannel – Had to work around package protected. Specially added handling for the callback option and override both accept methods for the configuration portion.
b. UndertowXnioSsl – Applied custom UndertowAcceptingSslChannel. Would be nice if DEFAULT_BUFFER_POOL was protected instead of private.
c. Undertow – Applied custom UndertowXnioSsl instances and exposed channels list to API. Would be nice if there were factories as part of Undertow builder so one could provide custom instances of things like UndertowXnioSsl.
My questions are as follows:
1. Would you be interested in seeing my code changes or contributions? I rather not have to maintain a small code base just to customize SSLEngine, etc.
2. Beyond ability to configure at the Undertow application level, I do think ability to honor a SSLContext is a great idea. I didn't do anything myself to address this since I now have full control over SSLEngine if necessary. Anyway, I am wondering if this issue can be fixed an applied to 1.14.11.Final soon please:
Please let me know.