This thread is to capture the effort to derive a common configuration that can be used for both JSSE and OpenSSL. This is currently evident in the web subsystem (File: org.jboss.as.web.WebConnectorService)
JFClere did background work on finding the settings for both jsse and openssl for the web subsystem. But since this is cross-cutting, we need the same for security subsystem also.
sslType covers both JSSE and OpenSSL
Open SSL Settings:
PASSWORD:setSSLPassword CERTIFICATE_KEY_FILE:setSSLCertificateKeyFile CIPHER_SUITE:setSSLCipherSuite PROTOCOL:setSSLProtocol VERIFY_CLIENT:setSSLVerifyClient VERIFY_DEPTH:setSSLVerifyDepth CERTIFICATE_FILE:setSSLCertificateFile CA_CERTIFICATE_FILE:setSSLCACertificateFile CA_REVOCATION_URL:setSSLCARevocationFile"
KEY_ALIAS:setKeyAlias PASSWORD:setKeypass CERTIFICATE_KEY_FILE:setKeystore CIPHER_SUITE:setCiphers PROTOCOL:setProtocols VERIFY_CLIENT:setClientauth SESSION_CACHE_SIZE:setAttribute SESSION_TIMEOUT:setAttribute
What is common between these two settings?
- Certificate Key File
- Cipher Suite
- Verify Client
Proposal (to be Finalized)
Proposal 1: The common settings are typed as elements. Rest are placed as properties.
<ssl binding="jsse"> <password></password> <certKeyFile/> <cipherSuite/> <protocol/> <verifyClient/> <property name="x" value="y"/> <property name="a" value="b"/> </ssl> <ssl binding="openssl"> <password></password> <certKeyFile/> <cipherSuite/> <protocol/> <verifyClient/> <property name="x" value="y"/> <property name="a" value="b"/> </ssl>
NOTE: the binding of jsse will be made the default. So no need to specify it if you are using jsse.
Proposal 2: For the non-common set of elements, we use xsd:choice between jsse and openssl settings which each get a xsd:sequence of elements.
Proposal 3: Copy the sslType from the web xsd into the security xsd. Then introduce the concept of reference in sslType to refer to sslType defined in another subsystem (namely security). That way, the subsystem can define the settings inline if it chooses to.
I have objections to that plan. Usually, SSL configuration for web is more involved, and more security risk prone, which means updates sometimes. This would result in multiple components getting updates.
Another issue is the incompatibility between the OpenSSL configuration (usable only by the web component for the forseeable future) and the JSSE configuration.
So I don't see much sharing. Or to put it another way, there's a lot of sharing possible for everything *but* the web component.