Re: [jetty-users] TLS ALPN ACME Lets Encrypt challange

[Lothar Kimmeringer <job@xxxxxxxxxxxxxx>]

Am 02.12.2022 um 10:10 schrieb Info:

> I am curious if the code for the SSLContextFactory and Keystore is
> open-sourced somewhere?

It's not but I don't see a problem in sharing it. But I'm not sure if
it makes much sense because the reason why I've implemented one is
very specific. Essentially I've overwritte doStart and doStop to
delay its actual call in the derived class unless the part of the
system is up that provides the certificates. When that's the case
setKeyStore is called (with my implementation of a KeyStore) and
after that doStart.

This is a solution I've came up in 2013 when starting to use
Jetty 9.0. There might be better solutions now (but if I understood
Simone correctly, it doesn't sound like there are) but I'll stick
with it until the corresponding unit tests stop working ;-) But
this implementation solves a very specific requirement, which is
why I doubt the source is useful for this particular topic.

Same for the KeyStore. Not open source but nothing special, either.
You just implement the engine-methods providing aliases, certificates
and keys. I've also implemented my own versions of KeyManager and
TrustManager to "help" the ContextFactory to decide what certificate/key
to use which is the point where an ALPN-implementation should
be based in my eyes.

> Maybe we can ponder a AMCE KeyManager together?

I'm currently busy with a lot of other stuff (which is why ALPN-
support is only on a list at the moment), so I'm not sure if it makes
sense to wait for my availability. But looking at the API the
KeyManager-implementation might be simple and the magic should
take place in
chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
if engine.getApplicationProtocol() return the information that
ALPN is used, return the ACME-certificate and return the "normal"
one if not.


Thanks and cheers, Lothar