akka.http: Is it possible to use logic to select ssl certs?

[Kevin]

So I'm trying to make something that does the equivalent of Apaches virtual hosting (eg you can select the ssl certificate based on the incoming uri) but using some logic.

Is there any way to do this in akka.http?  

Getting a single static ssl cert setup is easy per: http://doc.akka.io/docs/akka-http/current/scala/http/server-side-https-support.html#using-https-scala.  Even just just having two different certs (eg one for foo.com and one for bar.com, but still separate certs) would probably be a good place for me to start. 

Thanks.

[Arnout Engelen]

Hi Kevin,

The technique used in the SSL handshake to select the right certificate to match the hostname the client was connecting to is called Server Name Indication (SNI). 

I've never done it myself, but it seems you could add custom logic to this by writing your own KeyManager. https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java could provide some inspiration.

Kind regards,

Arnout

--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscribe@googlegroups.com.
To post to this group, send email to akka...@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

--

Arnout Engelen

Senior Software Engineer

E: arnout....@lightbend.com

T: https://twitter.com/raboofje

[Kevin]

Wow this looks a great place to start, thanks!

On Thursday, June 22, 2017 at 5:08:44 AM UTC-4, Arnout Engelen wrote:

Hi Kevin,

The technique used in the SSL handshake to select the right certificate to match the hostname the client was connecting to is called Server Name Indication (SNI). 

I've never done it myself, but it seems you could add custom logic to this by writing your own KeyManager. https://github.com/grahamedgecombe/netty-sni-example/blob/master/src/main/java/SniKeyManager.java could provide some inspiration.

Kind regards,

Arnout

On Wed, Jun 21, 2017 at 10:17 PM, Kevin <kbro...@gmail.com> wrote:

So I'm trying to make something that does the equivalent of Apaches virtual hosting (eg you can select the ssl certificate based on the incoming uri) but using some logic.

Is there any way to do this in akka.http?  

Getting a single static ssl cert setup is easy per: http://doc.akka.io/docs/akka-http/current/scala/http/server-side-https-support.html#using-https-scala.  Even just just having two different certs (eg one for foo.com and one for bar.com, but still separate certs) would probably be a good place for me to start. 

Thanks.

--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka User List" group.

To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+...@googlegroups.com.

To post to this group, send email to akka...@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

[Kevin Browder]

Yup the SniKeyManager.java was a great example, the only "gotcha" is that if you extend X509ExtendedKeyManager and modify the keystore at run-time you actually need to request data from the keystore not the keymanager as suns default implementation caches on instantiation (and never updates it's cache).

Thanks again!

You received this message because you are subscribed to a topic in the Google Groups "Akka User List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/akka-user/o53sTmUeFpc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to akka-user+...@googlegroups.com.