[security-dev 00178]: SSLContextFactory

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Tue May 20 13:10:05 UTC 2008 

Hello,

I only found out recently about Sean Mullan's blog entry named "Security 
Feature Planning for JDK 7" (written almost two years ago) 
<http://weblogs.java.net/blog/mullan/archive/2006/08/security_featur.html>. 
After I contacted him, he kindly suggested this mailing-list could be 
the right place to discuss security features in JDK 7.

I've recently been trying to improve SSL support in a couple of 
open-source projects. This led me to build a small library, which I've 
called 'jsslutils' <http://code.google.com/p/jsslutils/>.
The idea behind this library is to provide an SSLContextFactory which 
can help configure an SSLContext for applications such as Restlet 
<http://www.restlet.org/> (Grizzly, Simple or Jetty connectors) or Jetty 
<http://www.mortbay.org/jetty/>. Sub-classes of SSLContextFactory can 
provide extra features such as helping with the configuration of CRLs, 
or customization of the Key/TrustManagers. (If you wish to try it out, 
there are some jUnit tests in the subversion repository.)
I would be interested in having your opinions regarding an 
SSLContextFactory, and whether something similar may have already been 
discussed. Looking at the JDK 7 API, there doesn't seem to be an such a 
class/interface. This has been a rather useful feature for my 
application so far, and it should make it easy to support CRLs for 
example in something like Jetty. However, I'm not sure whether it would 
be good to have something like this SSLContextFactory in JDK 7. Perhaps 
there are other better ways to achieve these goals.

One of the main problems I still find is that few applications support 
setting up the SSLContext, which makes it sometimes difficult to 
configure more advanced features such as CRLs. Java 6 provides a way to 
set a default SSLContext, but this is not ideal. Sometimes, various 
connectors in the application may want to use different SSLContexts 
(perhaps with different truststores and keystores). For example, I would 
like to be able to set a specific SSLContext when using JavaMail, but I 
haven't found any documentation making it possible to set up the 
truststore and keystores independently, instead, it seems to rely on the 
default system properties.


Best wishes,

Bruno.

More information about the security-dev mailing list