0

I need to define a custom SSL configuration in server.xml and use it as default in my openliberty server.

What is the impact of defining sslDefault in server.xml config. Will this override the JVM default and all third party libraries will transparent use this sslDefault ? Or we need to get the SSL config using SSLContext sslContext = JSSEHelper.getInstance().getSSLContext("defaultSSLConfig", Collections.emptyMap(), null) (like presented in https://openliberty.io/docs/latest/access-nosql-databases.html) and inject it in these libraries.

Any best practices to share ?

Manudebouc
  • 45
  • 4

1 Answers1

0

If you configure the transportSecurity-1.0 feature then the configuring sslDefault in server.xml will affect what is returned by SSLContext.getDefault so any library that makes use of this will gain the configuration. However a library that uses one of the SSLContext.getInstance methods will not, this is because that creates a new SSLContext instance which will be intialized by the library calling the init method. If the library calls init(null, null, null) then it'll be initialized with what the JVM considers the default had SSLContext.setDefault not been called.

Different libraries react differently, as I recall okhttp creates its own SSLContext and initializes it so will not be affected by the Liberty sslDefault configuration, but other libraries just use the default.

Alasdair
  • 3,071
  • 15
  • 20
  • Ok this is aligned with what I have seen on my side. So no magic stuff and need to check all third party libraries. Thanks. – Manudebouc Sep 14 '22 at 09:31
  • just one latest question. Any reason why 'SSLContext.getDefault()' do not returns the same SSLContext as 'JSSEHelper.getInstance().getSSLContext("defaultSSLConfig", Collections.emptyMap(), null)' (set as sslDefaut) Latest seems to be a WS SSLContext (where I can see my config) but not the other. – Manudebouc Sep 14 '22 at 10:08