On 06/16/2010 07:44 PM, Costin Manolache wrote: > On Tue, Jun 15, 2010 at 11:14 PM, jean-frederic clere > <jfcl...@gmail.com>wrote: > >> On 06/16/2010 07:08 AM, Mladen Turk wrote: >>> On 06/16/2010 12:34 AM, Costin Manolache wrote: >>>> Hi, >>>> >>>> There are some methods in SSLContext to create and use a new BIO. Are >>>> there >>>> any examples/tests for this ? I can't find how to attach the BIO to a >>>> socket, it seems SSL_set_bio is never called, can't figure what >>>> SSLContext.setBIO() does. >>>> >>> >>> I'd suggest you forget about those ;) >>> >>> SSL BIO allows to write a java code that will SSL use >>> for read/write to the sockets. >>> Jean-Frederic created those but cannot tell for what reason. >> >> The idea was to use java socket directly to have just the crypto layer >> done by SSL but tc-native went another way. >> > > > I know - it allows one to use OpenSSL like SSLEngine - without doing the > network > IO trough OpenSSL. > > I'm not worried about the 4-5 extra JNI calls - we're talking about slow > encryption here. > > For tomcat-lite - JSSE is a dead end, there is no way to support SPDY and a > lot of other > things are bad/missing ( i.e. most SSL extensions - hostname, session > tickets, etc ). > However I want to separate the I/O from the encryption.
May be we should just start another native module so that we don't need to use APR but only OpenSSL. Cheers Jean-Frederic > > > > >> >>> Probably to allow direct java.sockets via SSL by writing >>> custom wrapper for SSL Bio (really cannot figure out >>> why would one wish to go trough 4 JNI callback layers for >>> making a write, but it's there). >>> Like you said it wasn't tested, and I was trying to >>> axe this stuff from version 0.1, but it still hangs there. >>> >>> Why would you need that? >> >> If not needed we should remove it. >> > > Well, I think it would be needed - if it would work. > Tomcat-native can be used for more than the tomcat connector - especially > since it's now > easy to install on linux ( apt-get install :-). > > I would guess adding just the SSL_set_bio() would be enough - assuming the > rest of the > BIO impl is ok. > > Do you have any test code you used when implementing this ? I think adding > the missing pieces > may be better than trowing it away. > > Costin > > >> Cheers >> >> Jean-Frederic >> >>> >>> >>> Regards >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
