Hi Sai,
The security provider main class is configured through a java security file: -Djava.security.properties=custom-security.file Where we set: security.provider.1=my.security.provider.class The security provider is packaged as a .jar and added to the classpath. The security provider code is triggered once the geode default context is initialized, so there is no room to take over the context before that. Also, the configuration of the TLS handshake message extensions is part of the SSLSocket configuration. I’m not aware of a way to configure this through the context. BR, Mario ________________________________ Šalje: Sai Boorlagadda <sai.boorlaga...@gmail.com> Poslano: 24. studenog 2019. 17:33 Prima: dev@geode.apache.org <dev@geode.apache.org> Predmet: Re: Proposal of new config property "ssl-server-name-extension" Hello Mario, I would like to see if having a custom security provider allows you to configure the default SSL context to set the SNI? >From your proposal, I see that you have implemented a Java Security Provider to provide custom KeyManager implementation which distinguishes certificate based on which the wan-site the peer client is connecting to. How are you configuring this security provider? I am assuming you have some bootstrapping code that inserts your security provider before launching Geode, and also set gemfire property `ssl-use-default-context` to true to let Geode use the default SSL context. Can this bootstrapping code create and configure an SSL context with SNI and set it as default context before launching geode? This may appear as a workaround but the rationale behind `ssl-use-default-context` is to delegate the external environment to configure the SSL context in a required manner and let Geode just use it. Sai On Tue, Nov 19, 2019 at 3:27 AM Mario Ivanac <mario.iva...@est.tech> wrote: > Hi geode dev, > > as a part of solution for https://issues.apache.org/jira/browse/GEODE-7414 > we would like to introduce new config property "ssl-server-name-extension". > > This property will contain generic string, which will be added as Server > Name Indication (SNI) parameter to Client Hello message. > > Do you agree with this proposal? > > Thanks, > Mario >
