WildFly Elytron

Upcoming SSLContext that supports delegation to alternate instances based on peer information

One of the features we have been working on for the Elytron subsytem is the ability to configure SSL context that will delegate to different instances of SSL context based on the host and port of the peer.


In some cases it can be useful to have SSL context that can select appropriate certificate/keystore for the connection based on the hostname and/or port of the peer. It would be easier to configure one such SSL context and provide rules at one place based on which the appropriate SSL Context instance will be selected.

In Elytron it is already possible to configure authentication-context resource where you can provide rules that associate SSL context with specific host and/or port. After this feature is complete, you should be able to configure dynamic SSL context that will use these rules and will select appropriate SSL context for the connection.


This blog post has given a short overview of the upcoming SSL context that selects appropriate instances based on peer information. It will be possible to configure it using WildFly CLI or directly in server configuration file.

For more details and updates on the status of this feature, take a look at WFLY-13762. You can also take a look at the proposal. We welcome feedback.