Added tests for both SelectChannel and Socket connectors.

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/sandbox/trunk@2745 7e9141cc-0065-0410-87d8-b60c137991c4
diff --git a/jetty-exssl/config/etc/jetty-exssl.xml b/jetty-exssl/config/etc/jetty-exssl.xml
index 3f5e87c..253bf17 100644
--- a/jetty-exssl/config/etc/jetty-exssl.xml
+++ b/jetty-exssl/config/etc/jetty-exssl.xml
@@ -25,6 +25,7 @@
         <Set name="KeyPassword">webtide</Set>
         <Set name="truststore"><Property name="jetty.home" default="." />/etc/jetty.keystore</Set>
         <Set name="trustPassword">webtide</Set>
+        <Set name="validateCert">true</Set>
         <Set name="crlPath"><Property name="jetty.home" default="." />/etc/crlfile.pem</Set>
       </New>
     </Arg>
diff --git a/jetty-exssl/pom.xml b/jetty-exssl/pom.xml
index d5cc4b1..2cd3556 100644
--- a/jetty-exssl/pom.xml
+++ b/jetty-exssl/pom.xml
@@ -68,16 +68,6 @@
   </build>
   <dependencies>
     <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <version>${junit4-version}</version>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>javax.servlet</groupId>
-      <artifactId>servlet-api</artifactId>
-    </dependency>
-    <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-server</artifactId>
       <version>${project.version}</version>
@@ -88,10 +78,15 @@
       <version>${project.version}</version>
     </dependency>
     <dependency>
-      <groupId>org.eclipse.jetty</groupId>
-      <artifactId>jetty-jmx</artifactId>
-      <version>${project.version}</version>
-      <optional>true</optional>
+        <groupId>org.eclipse.jetty.toolchain</groupId>
+        <artifactId>jetty-test-helper</artifactId>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>${junit4-version}</version>
+      <scope>test</scope>
     </dependency>
   </dependencies>
 </project>
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
index 0826292..a467dfc 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
@@ -4,11 +4,8 @@
 import java.security.KeyStoreException;
 import java.security.cert.CRL;
 import java.security.cert.CertPathBuilder;
-import java.security.cert.CertPathBuilderException;
 import java.security.cert.CertPathBuilderResult;
 import java.security.cert.CertPathValidator;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertPathValidatorResult;
 import java.security.cert.CertStore;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -47,11 +44,9 @@
             }
             catch (KeyStoreException ex)
             {
-                CertificateException crtex = 
-                    new CertificateException("Unable to validate certificate for alias " +
-                                             keyAlias + ": " + ex.toString());
-                crtex.initCause(ex);
-                throw crtex;
+                Log.debug(ex);
+                throw new CertificateException("Unable to validate certificate for alias [" +
+                                               keyAlias + "]: " + ex.getMessage());
             }
             result = keyAlias;            
         }
@@ -114,11 +109,9 @@
             }
             catch (Exception ex)
             {
-                CertificateException crtex = 
-                    new CertificateException("Unable to validate certificate for alias " +
-                                             certAlias + ": " + ex.toString());
-                crtex.initCause(ex);
-                throw crtex;
+                Log.debug(ex);
+                throw new CertificateException("Unable to validate certificate for alias [" +
+                                               certAlias + "]: " + ex.getMessage());
             }
         } 
     }
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
index 2b781c9..e601aed 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
@@ -288,4 +288,40 @@
      * @return Path to file that contains Certificate Revocation List
      */
     public abstract String getCrlPath();
+
+    /* ------------------------------------------------------------ */
+    /** 
+     * @return Maximum number of intermediate certificates in the certification path (-1 for unlimited)
+     */
+    public abstract int getMaxCertPathLength();
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @param maxCertPathLength maximum number of intermediate certificates in the chain (-1 for unlimited)
+     */
+    public abstract void setMaxCertPathLength(int maxCertPathLength);
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @return true if SSL certificate has to be validated
+     */
+    public abstract boolean getValidateCert();
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @param validateServerCert true if SSL certificate has to be validated
+     */
+    public abstract void setValidateCert(boolean validateCert);
+    
+    /* ------------------------------------------------------------ */
+    /**
+     * @return Alias of SSL certificate for the connector
+     */
+    public abstract String getCertAlias();
+    
+    /* ------------------------------------------------------------ */
+    /**
+     * @param certAlias Alias of SSL certificate for the connector
+     */
+    public abstract void setCertAlias(String certAlias);
 }
\ No newline at end of file
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
index fce4b9d..1d893d8 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
@@ -22,6 +22,7 @@
 import java.security.Security;
 import java.security.cert.CRL;
 import java.security.cert.CertStore;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
@@ -29,6 +30,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import javax.net.ssl.CertPathTrustManagerParameters;
@@ -72,6 +74,10 @@
  *
  *
  */
+
+/* ------------------------------------------------------------ */
+/**
+ */
 public class EnhancedSslSelectChannelConnector extends SelectChannelConnector implements EnhancedSslConnector
 {
     /** Excluded cipher suites. */
@@ -85,8 +91,8 @@
     private String _keystoreProvider;
     /** KeyStore type */
     private String _keystoreType="JKS";
-    /** SSL key alias */
-    private String _keyAlias;
+    /** SSL certificate alias */
+    private String _certAlias;
 
     /** TrustStore path */
     private String _truststorePath;
@@ -99,6 +105,8 @@
     private boolean _needClientAuth=false;
     /** Set to true if client certificate authentication is desired */
     private boolean _wantClientAuth=false;
+    /** Set to true if SSL certificate validation is required */
+    private boolean _validateCert;
     /** Set to true if renegotiation is allowed */
     private boolean _allowRenegotiate=false;
 
@@ -128,8 +136,9 @@
     
     /** SSL context */
     private SSLContext _context;
+    /** SSL buffers */
     private Buffers _sslBuffers;
-    
+
     /* ------------------------------------------------------------ */
     public EnhancedSslSelectChannelConnector()
     {
@@ -138,6 +147,491 @@
 
     /* ------------------------------------------------------------ */
     /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+     */
+    public String[] getExcludeCipherSuites()
+    {
+        return _excludeCipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+     */
+    public void setExcludeCipherSuites(String[] cipherSuites)
+    {
+        this._excludeCipherSuites=cipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+     */
+    public String[] getIncludeCipherSuites()
+    {
+        return _includeCipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+     */
+    public void setIncludeCipherSuites(String[] cipherSuites)
+    {
+        this._includeCipherSuites=cipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
+     */
+    public String getKeystore()
+    {
+        return _keystorePath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
+     */
+    public void setKeystore(String keystore)
+    {
+        _keystorePath=keystore;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getKeystoreProvider()
+     */
+    public String getKeystoreProvider()
+    {
+        return _keystoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setKeystoreProvider(java.lang.String)
+     */
+    public void setKeystoreProvider(String keystoreProvider)
+    {
+        _keystoreProvider = keystoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
+     */
+    public String getKeystoreType()
+    {
+        return (_keystoreType);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
+     */
+    public void setKeystoreType(String keystoreType)
+    {
+        _keystoreType=keystoreType;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCertAlias()
+     */
+    public String getCertAlias()
+    {
+        return _certAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCertAlias(java.lang.String)
+     */
+    public void setCertAlias(String certAlias)
+    {
+        this._certAlias = certAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
+     */
+    public String getTruststore()
+    {
+        return _truststorePath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
+     */
+    public void setTruststore(String truststore)
+    {
+        _truststorePath=truststore;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getTruststoreProvider()
+     */
+    public String getTruststoreProvider()
+    {
+        return _truststoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setTruststoreProvider(java.lang.String)
+     */
+    public void setTruststoreProvider(String truststoreProvider)
+    {
+        _truststoreProvider = truststoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
+     */
+    public String getTruststoreType()
+    {
+        return _truststoreType;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
+     */
+    public void setTruststoreType(String truststoreType)
+    {
+        _truststoreType=truststoreType;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
+     */
+    public boolean getNeedClientAuth()
+    {
+        return _needClientAuth;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
+     */
+    public void setNeedClientAuth(boolean needClientAuth)
+    {
+        _needClientAuth=needClientAuth;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
+     */
+    public boolean getWantClientAuth()
+    {
+        return _wantClientAuth;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
+     */
+    public void setWantClientAuth(boolean wantClientAuth)
+    {
+        _wantClientAuth=wantClientAuth;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getValidateCert()
+     */
+    public boolean getValidateCert()
+    {
+        return _validateCert;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setValidateCert(boolean)
+     */
+    public void setValidateCert(boolean validateCert)
+    {
+        _validateCert = validateCert;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @return True if SSL re-negotiation is allowed (default false)
+     */
+    public boolean isAllowRenegotiate()
+    {
+        return _allowRenegotiate;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
+     * a vulnerability in SSL/TLS with re-negotiation.  If your JVM
+     * does not have CVE-2009-3555 fixed, then re-negotiation should
+     * not be allowed.
+     * @param allowRenegotiate true if re-negotiation is allowed (default false)
+     */
+    public void setAllowRenegotiate(boolean allowRenegotiate)
+    {
+        _allowRenegotiate = allowRenegotiate;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
+     */
+    public void setPassword(String password)
+    {
+        _password=Password.getPassword(PASSWORD_PROPERTY,password,null);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
+     */
+    public void setKeyPassword(String password)
+    {
+        _keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
+     */
+    public void setTrustPassword(String password)
+    {
+        _trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
+     */
+    public String getProvider()
+    {
+        return _sslProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
+     */
+    public void setProvider(String provider)
+    {
+        _sslProvider=provider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
+     */
+    public String getProtocol()
+    {
+        return _sslProtocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
+     */
+    public void setProtocol(String protocol)
+    {
+        _sslProtocol=protocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
+     */
+    public String getSecureRandomAlgorithm()
+    {
+        return _secureRandomAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
+     */
+    public void setSecureRandomAlgorithm(String algorithm)
+    {
+        this._secureRandomAlgorithm=algorithm;
+    }
+
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
+     */
+    public String getSslKeyManagerFactoryAlgorithm()
+    {
+        return (this._sslKeyManagerFactoryAlgorithm);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
+     */
+    public void setSslKeyManagerFactoryAlgorithm(String algorithm)
+    {
+        this._sslKeyManagerFactoryAlgorithm=algorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
+     */
+    public String getSslTrustManagerFactoryAlgorithm()
+    {
+        return (this._sslTrustManagerFactoryAlgorithm);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
+     */
+    public void setSslTrustManagerFactoryAlgorithm(String algorithm)
+    {
+        this._sslTrustManagerFactoryAlgorithm=algorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
+     * {@link #getSslTrustManagerFactoryAlgorithm()}
+     */
+    @Deprecated
+    public String getAlgorithm()
+    {
+        return getSslKeyManagerFactoryAlgorithm();
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
+     * {@link #setSslTrustManagerFactoryAlgorithm(String)}
+     */
+    @Deprecated
+    public void setAlgorithm(String algorithm)
+    {
+        setSslKeyManagerFactoryAlgorithm(algorithm);
+        setSslTrustManagerFactoryAlgorithm(algorithm);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCrlPath(java.lang.String)
+     */
+    public void setCrlPath(String crlPath)
+    {
+        _crlPath = crlPath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCrlPath()
+     */
+    public String getCrlPath()
+    {
+        return _crlPath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getMaxCertPathLength()
+     */
+    public int getMaxCertPathLength()
+    {
+        return _maxCertPathLength;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setMaxCertPathLength(int)
+     */
+    public void setMaxCertPathLength(int maxCertPathLength)
+    {
+        _maxCertPathLength = maxCertPathLength;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+     */
+    public SSLContext getSslContext()
+    {
+        try
+        {
+            if (_context == null)
+                _context=createSSLContext();
+        }
+        catch(Exception e)
+        {
+            throw new RuntimeException(e);
+        }
+
+        return _context;
+    }
+
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+     */
+    public void setSslContext(SSLContext sslContext)
+    {
+        _context = sslContext;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @return SSL buffers
+     */
+    public Buffers getSslBuffers()
+    {
+        return _sslBuffers;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * By default, we're confidential, given we speak SSL. But, if we've been
+     * told about an confidential port, and said port is not our port, then
+     * we're not. This allows separation of listeners providing INTEGRAL versus
+     * CONFIDENTIAL constraints, such as one SSL listener configured to require
+     * client certs providing CONFIDENTIAL, whereas another SSL listener not
+     * requiring client certs providing mere INTEGRAL constraints.
+     */
+    @Override
+    public boolean isConfidential(Request request)
+    {
+        final int confidentialPort=getConfidentialPort();
+        return confidentialPort==0||confidentialPort==request.getServerPort();
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * By default, we're integral, given we speak SSL. But, if we've been told
+     * about an integral port, and said port is not our port, then we're not.
+     * This allows separation of listeners providing INTEGRAL versus
+     * CONFIDENTIAL constraints, such as one SSL listener configured to require
+     * client certs providing CONFIDENTIAL, whereas another SSL listener not
+     * requiring client certs providing mere INTEGRAL constraints.
+     */
+    @Override
+    public boolean isIntegral(Request request)
+    {
+        final int integralPort=getIntegralPort();
+        return integralPort==0||integralPort==request.getServerPort();
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
      * Allow the Listener a chance to customise the request. before the server
      * does its stuff. <br>
      * This allows the required attributes to be set for SSL requests. <br>
@@ -175,372 +669,6 @@
         SslCertificates.customize(sslSession,endpoint,request);
     }
 
-    /* ------------------------------------------------------------ */
-    /**
-     * @return True if SSL re-negotiation is allowed (default false)
-     */
-    public boolean isAllowRenegotiate()
-    {
-        return _allowRenegotiate;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
-     * a vulnerability in SSL/TLS with re-negotiation.  If your JVM
-     * does not have CVE-2009-3555 fixed, then re-negotiation should
-     * not be allowed.
-     * @param allowRenegotiate true if re-negotiation is allowed (default false)
-     */
-    public void setAllowRenegotiate(boolean allowRenegotiate)
-    {
-        _allowRenegotiate = allowRenegotiate;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
-     */
-    public String[] getExcludeCipherSuites()
-    {
-        return _excludeCipherSuites;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
-     */
-    public void setExcludeCipherSuites(String[] cipherSuites)
-    {
-        this._excludeCipherSuites=cipherSuites;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
-     */
-    public String[] getIncludeCipherSuites()
-    {
-        return _includeCipherSuites;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
-     */
-    public void setIncludeCipherSuites(String[] cipherSuites)
-    {
-        this._includeCipherSuites=cipherSuites;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
-     */
-    public void setPassword(String password)
-    {
-        _password=Password.getPassword(PASSWORD_PROPERTY,password,null);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
-     */
-    public void setTrustPassword(String password)
-    {
-        _trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
-     */
-    public void setKeyPassword(String password)
-    {
-        _keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
-     * {@link #getSslTrustManagerFactoryAlgorithm()}
-     */
-    @Deprecated
-    public String getAlgorithm()
-    {
-        return getSslKeyManagerFactoryAlgorithm();
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
-     * {@link #setSslTrustManagerFactoryAlgorithm(String)}
-     */
-    @Deprecated
-    public void setAlgorithm(String algorithm)
-    {
-        setSslKeyManagerFactoryAlgorithm(algorithm);
-        setSslTrustManagerFactoryAlgorithm(algorithm);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
-     */
-    public String getProtocol()
-    {
-        return _sslProtocol;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
-     */
-    public void setProtocol(String protocol)
-    {
-        _sslProtocol=protocol;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
-     */
-    public void setKeystore(String keystore)
-    {
-        _keystorePath=keystore;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
-     */
-    public String getKeystore()
-    {
-        return _keystorePath;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
-     */
-    public String getKeystoreType()
-    {
-        return (_keystoreType);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
-     */
-    public boolean getNeedClientAuth()
-    {
-        return _needClientAuth;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
-     */
-    public boolean getWantClientAuth()
-    {
-        return _wantClientAuth;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
-     */
-    public void setNeedClientAuth(boolean needClientAuth)
-    {
-        _needClientAuth=needClientAuth;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
-     */
-    public void setWantClientAuth(boolean wantClientAuth)
-    {
-        _wantClientAuth=wantClientAuth;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
-     */
-    public void setKeystoreType(String keystoreType)
-    {
-        _keystoreType=keystoreType;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
-     */
-    public String getProvider()
-    {
-        return _sslProvider;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
-     */
-    public String getSecureRandomAlgorithm()
-    {
-        return (this._secureRandomAlgorithm);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
-     */
-    public String getSslKeyManagerFactoryAlgorithm()
-    {
-        return (this._sslKeyManagerFactoryAlgorithm);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
-     */
-    public String getSslTrustManagerFactoryAlgorithm()
-    {
-        return (this._sslTrustManagerFactoryAlgorithm);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
-     */
-    public String getTruststore()
-    {
-        return _truststorePath;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
-     */
-    public String getTruststoreType()
-    {
-        return _truststoreType;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
-     */
-    public void setProvider(String provider)
-    {
-        _sslProvider=provider;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
-     */
-    public void setSecureRandomAlgorithm(String algorithm)
-    {
-        this._secureRandomAlgorithm=algorithm;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
-     */
-    public void setSslKeyManagerFactoryAlgorithm(String algorithm)
-    {
-        this._sslKeyManagerFactoryAlgorithm=algorithm;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
-     */
-    public void setSslTrustManagerFactoryAlgorithm(String algorithm)
-    {
-        this._sslTrustManagerFactoryAlgorithm=algorithm;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
-     */
-    public void setTruststore(String truststore)
-    {
-        _truststorePath=truststore;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
-     */
-    public void setTruststoreType(String truststoreType)
-    {
-        _truststoreType=truststoreType;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
-     */
-    public void setSslContext(SSLContext sslContext)
-    {
-        _context = sslContext;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
-     */
-    public SSLContext getSslContext()
-    {
-        try
-        {
-            if (_context == null)
-                _context=createSSLContext();
-        }
-        catch(Exception e)
-        {
-            throw new RuntimeException(e);
-        }
-
-        return _context;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * By default, we're confidential, given we speak SSL. But, if we've been
-     * told about an confidential port, and said port is not our port, then
-     * we're not. This allows separation of listeners providing INTEGRAL versus
-     * CONFIDENTIAL constraints, such as one SSL listener configured to require
-     * client certs providing CONFIDENTIAL, whereas another SSL listener not
-     * requiring client certs providing mere INTEGRAL constraints.
-     */
-    @Override
-    public boolean isConfidential(Request request)
-    {
-        final int confidentialPort=getConfidentialPort();
-        return confidentialPort==0||confidentialPort==request.getServerPort();
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * By default, we're integral, given we speak SSL. But, if we've been told
-     * about an integral port, and said port is not our port, then we're not.
-     * This allows separation of listeners providing INTEGRAL versus
-     * CONFIDENTIAL constraints, such as one SSL listener configured to require
-     * client certs providing CONFIDENTIAL, whereas another SSL listener not
-     * requiring client certs providing mere INTEGRAL constraints.
-     */
-    @Override
-    public boolean isIntegral(Request request)
-    {
-        final int integralPort=getIntegralPort();
-        return integralPort==0||integralPort==request.getServerPort();
-    }
-
     /* ------------------------------------------------------------------------------- */
     @Override
     protected SelectChannelEndPoint newEndPoint(SocketChannel channel, SelectSet selectSet, SelectionKey key) throws IOException
@@ -559,6 +687,49 @@
         return connection;
     }
 
+    @Override
+    protected void doStart() throws Exception
+    {
+        if (_context == null)
+           _context=createSSLContext();
+
+        SSLEngine engine=createSSLEngine();
+        SSLSession ssl_session=engine.getSession();
+
+        ThreadLocalBuffers buffers = new ThreadLocalBuffers()
+        {
+            @Override
+            protected Buffer newBuffer(int size)
+            {
+                if (getUseDirectBuffers())
+                    return new DirectNIOBuffer(size);
+                return new IndirectNIOBuffer(size);
+            }
+            @Override
+            protected Buffer newHeader(int size)
+            {
+                if (getUseDirectBuffers())
+                    return new DirectNIOBuffer(size);
+                return new IndirectNIOBuffer(size);
+            }
+            @Override
+            protected boolean isHeader(Buffer buffer)
+            {
+                return true;
+            }
+        };
+        buffers.setBufferSize(ssl_session.getApplicationBufferSize());
+        buffers.setHeaderSize(ssl_session.getApplicationBufferSize());
+        _sslBuffers=buffers;
+
+        if (getRequestHeaderSize()<ssl_session.getApplicationBufferSize())
+            setRequestHeaderSize(ssl_session.getApplicationBufferSize());
+        if (getRequestBufferSize()<ssl_session.getApplicationBufferSize())
+            setRequestBufferSize(ssl_session.getApplicationBufferSize());
+
+        super.doStart();
+    }
+
     /* ------------------------------------------------------------ */
     protected SSLEngine createSSLEngine() throws IOException
     {
@@ -628,92 +799,33 @@
         return engine;
     }
 
-    @Override
-    protected void doStart() throws Exception
-    {
-    	if (_context == null)
-           _context=createSSLContext();
-
-        SSLEngine engine=createSSLEngine();
-        SSLSession ssl_session=engine.getSession();
-
-        ThreadLocalBuffers buffers = new ThreadLocalBuffers()
-        {
-            @Override
-            protected Buffer newBuffer(int size)
-            {
-                if (getUseDirectBuffers())
-                    return new DirectNIOBuffer(size);
-                return new IndirectNIOBuffer(size);
-            }
-            @Override
-            protected Buffer newHeader(int size)
-            {
-                if (getUseDirectBuffers())
-                    return new DirectNIOBuffer(size);
-                return new IndirectNIOBuffer(size);
-            }
-            @Override
-            protected boolean isHeader(Buffer buffer)
-            {
-                return true;
-            }
-        };
-        buffers.setBufferSize(ssl_session.getApplicationBufferSize());
-        buffers.setHeaderSize(ssl_session.getApplicationBufferSize());
-        _sslBuffers=buffers;
-
-        if (getRequestHeaderSize()<ssl_session.getApplicationBufferSize())
-            setRequestHeaderSize(ssl_session.getApplicationBufferSize());
-        if (getRequestBufferSize()<ssl_session.getApplicationBufferSize())
-            setRequestBufferSize(ssl_session.getApplicationBufferSize());
-
-        super.doStart();
-    }
-
-    public Buffers getSslBuffers()
-    {
-        return _sslBuffers;
-    }
-
-    public void setKeystoreProvider(String keystoreProvider)
-    {
-        _keystoreProvider = keystoreProvider;
-    }
-
-    public String getKeystoreProvider()
-    {
-        return _keystoreProvider;
-    }
-
-    public void setTruststoreProvider(String truststoreProvider)
-    {
-        _truststoreProvider = truststoreProvider;
-    }
-
-    public String getTruststoreProvider()
-    {
-        return _truststoreProvider;
-    }
-
-    public void setCrlPath(String crlPath)
-    {
-        _crlPath = crlPath;
-    }
-
-    public String getCrlPath()
-    {
-        return _crlPath;
-    }
-
     /* ------------------------------------------------------------ */
     protected SSLContext createSSLContext() throws Exception
     {
         KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _keystoreProvider, _password==null?null:_password.toString());
         KeyStore trustStore = getTrustStore(_truststorePath, _truststoreType, _truststoreProvider, _trustPassword == null ? null : _trustPassword.toString());
         Collection<? extends CRL> crls = loadCRL(_crlPath);
+        
+        if (_certAlias == null)
+        {
+            List<String> aliases = Collections.list(keyStore.aliases());
+            _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
+        }
 
-        KeyManager[] keyManagers = getKeyManagers(keyStore, trustStore, crls);
+        Certificate cert = _certAlias == null ? null : keyStore.getCertificate(_certAlias);
+        if (cert == null)
+        {
+            throw new Exception("No certificate found in the keystore"+
+                                (_certAlias == null ? "" : " for alias "+_certAlias));
+        }
+        
+        if (_validateCert)
+        {
+            CertificateValidator validator = new CertificateValidator(keyStore,trustStore,crls);
+            validator.validate(cert);
+        }
+
+        KeyManager[] keyManagers = getKeyManagers(keyStore);
         TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
         
         SecureRandom secureRandom =
@@ -726,20 +838,19 @@
     }
 
     /* ------------------------------------------------------------ */
-    protected KeyManager[] getKeyManagers(KeyStore keyStore, KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
     {
         KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
         keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
         KeyManager[] managers = keyManagerFactory.getKeyManagers();
         
-        if (_keyAlias != null)
+        if (_certAlias != null)
         {
             for (int idx=0; idx < managers.length; idx++)
             {
                 if (managers[idx] instanceof X509KeyManager)
                 {
-                    managers[idx] = new SslKeyManager(_keyAlias, (X509KeyManager)managers[idx], 
-                                                      new CertificateValidator(keyStore, trustStore, crls));
+                    managers[idx] = new SslExtendedKeyManager(_certAlias, (X509KeyManager)managers[idx]);
                 }
             }
         }
@@ -794,26 +905,6 @@
         return managers;
     }
     
-    private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
-    {
-        Collection<? extends CRL> crlList = null;
-
-        InputStream in = null;
-        try {
-            in = Resource.newResource(crlPath).getInputStream();
-            crlList = CertificateFactory.getInstance("X.509").generateCRLs(in); 
-        }
-        finally
-        {
-            if (in != null)
-            {
-                in.close();
-            }
-        }
-
-        return crlList;
-    }
-
     /* ------------------------------------------------------------ */
     protected KeyStore getKeyStore(String storePath, String storeType, String storeProvider, String storePassword) throws Exception
     {
@@ -847,6 +938,7 @@
         }
     }
     
+    /* ------------------------------------------------------------ */
     protected KeyStore getTrustStore(String trustPath, String trustType, String trustProvider, String trustPassword) throws Exception
     {
         if (trustPath==null)
@@ -868,4 +960,28 @@
         
         return getKeyStore(trustPath, trustType, trustProvider, trustPassword);
     }
+
+    /* ------------------------------------------------------------ */
+    private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
+    {
+        Collection<? extends CRL> crlList = null;
+
+        if (crlPath != null) 
+        {
+            InputStream in = null;
+            try {
+                in = Resource.newResource(crlPath).getInputStream();
+                crlList = CertificateFactory.getInstance("X.509").generateCRLs(in); 
+            }
+            finally
+            {
+                if (in != null)
+                {
+                    in.close();
+                }
+            }
+        }
+        
+        return crlList;
+    }
 }
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
index 535f0b4..e111cd4 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
@@ -22,21 +22,18 @@
 import java.security.SecureRandom;
 import java.security.Security;
 import java.security.cert.CRL;
-import java.security.cert.CertPathBuilder;
 import java.security.cert.CertStore;
-import java.security.cert.CertStoreParameters;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
-import javax.management.openmbean.KeyAlreadyExistsException;
 import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.HandshakeCompletedEvent;
 import javax.net.ssl.HandshakeCompletedListener;
@@ -91,7 +88,7 @@
     /** KeyStore type */
     private String _keystoreType="JKS";
     /** SSL key alias */
-    private String _keyAlias;
+    private String _certAlias;
 
     /** TrustStore path */
     private String _truststorePath;
@@ -104,6 +101,8 @@
     private boolean _needClientAuth=false;
     /** Set to true if client certificate authentication is desired */
     private boolean _wantClientAuth=false;
+    /** Set to true if SSL certificate validation is required */
+    private boolean _validateCert;
     /** Set to true if renegotiation is allowed */
     private boolean _allowRenegotiate=false;
 
@@ -147,6 +146,223 @@
 
     /* ------------------------------------------------------------ */
     /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+     */
+    public String[] getExcludeCipherSuites()
+    {
+        return _excludeCipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+     */
+    public void setExcludeCipherSuites(String[] cipherSuites)
+    {
+        this._excludeCipherSuites=cipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+     */
+    public String[] getIncludeCipherSuites()
+    {
+        return _includeCipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+     */
+    public void setIncludeCipherSuites(String[] cipherSuites)
+    {
+        this._includeCipherSuites=cipherSuites;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
+     */
+    public String getKeystore()
+    {
+        return _keystorePath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
+     */
+    public void setKeystore(String keystore)
+    {
+        _keystorePath=keystore;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getKeystoreProvider()
+     */
+    public String getKeystoreProvider()
+    {
+        return _keystoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setKeystoreProvider(java.lang.String)
+     */
+    public void setKeystoreProvider(String keystoreProvider)
+    {
+        _keystoreProvider = keystoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
+     */
+    public String getKeystoreType()
+    {
+        return (_keystoreType);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
+     */
+    public void setKeystoreType(String keystoreType)
+    {
+        _keystoreType=keystoreType;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCertAlias()
+     */
+    public String getCertAlias()
+    {
+        return _certAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCertAlias(java.lang.String)
+     */
+    public void setCertAlias(String certAlias)
+    {
+        this._certAlias = certAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
+     */
+    public String getTruststore()
+    {
+        return _truststorePath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
+     */
+    public void setTruststore(String truststore)
+    {
+        _truststorePath=truststore;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getTruststoreProvider()
+     */
+    public String getTruststoreProvider()
+    {
+        return _truststoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setTruststoreProvider(java.lang.String)
+     */
+    public void setTruststoreProvider(String truststoreProvider)
+    {
+        _truststoreProvider = truststoreProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
+     */
+    public String getTruststoreType()
+    {
+        return _truststoreType;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
+     */
+    public void setTruststoreType(String truststoreType)
+    {
+        _truststoreType=truststoreType;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
+     */
+    public boolean getNeedClientAuth()
+    {
+        return _needClientAuth;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
+     */
+    public void setNeedClientAuth(boolean needClientAuth)
+    {
+        _needClientAuth=needClientAuth;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
+     */
+    public boolean getWantClientAuth()
+    {
+        return _wantClientAuth;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
+     */
+    public void setWantClientAuth(boolean wantClientAuth)
+    {
+        _wantClientAuth=wantClientAuth;
+    }
+
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getValidateCert()
+     */
+    public boolean getValidateCert()
+    {
+        return _validateCert;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setValidateCert(boolean)
+     */
+    public void setValidateCert(boolean validateCert)
+    {
+        _validateCert = validateCert;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
      * @return True if SSL re-negotiation is allowed (default false)
      */
     public boolean isAllowRenegotiate()
@@ -158,7 +374,7 @@
     /**
      * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
      * a vulnerability in SSL/TLS with re-negotiation.  If your JVM
-     * does not have CVE-2009-3555 fixed, then re-negotiation should 
+     * does not have CVE-2009-3555 fixed, then re-negotiation should
      * not be allowed.
      * @param allowRenegotiate true if re-negotiation is allowed (default false)
      */
@@ -168,6 +384,296 @@
     }
 
     /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
+     */
+    public void setPassword(String password)
+    {
+        _password=Password.getPassword(PASSWORD_PROPERTY,password,null);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
+     */
+    public void setKeyPassword(String password)
+    {
+        _keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
+     */
+    public void setTrustPassword(String password)
+    {
+        _trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
+     */
+    public String getProvider()
+    {
+        return _sslProvider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
+     */
+    public void setProvider(String provider)
+    {
+        _sslProvider=provider;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
+     */
+    public String getProtocol()
+    {
+        return _sslProtocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
+     */
+    public void setProtocol(String protocol)
+    {
+        _sslProtocol=protocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
+     */
+    public String getSecureRandomAlgorithm()
+    {
+        return _secureRandomAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
+     */
+    public void setSecureRandomAlgorithm(String algorithm)
+    {
+        this._secureRandomAlgorithm=algorithm;
+    }
+
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
+     */
+    public String getSslKeyManagerFactoryAlgorithm()
+    {
+        return (this._sslKeyManagerFactoryAlgorithm);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
+     */
+    public void setSslKeyManagerFactoryAlgorithm(String algorithm)
+    {
+        this._sslKeyManagerFactoryAlgorithm=algorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
+     */
+    public String getSslTrustManagerFactoryAlgorithm()
+    {
+        return (this._sslTrustManagerFactoryAlgorithm);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
+     */
+    public void setSslTrustManagerFactoryAlgorithm(String algorithm)
+    {
+        this._sslTrustManagerFactoryAlgorithm=algorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
+     * {@link #getSslTrustManagerFactoryAlgorithm()}
+     */
+    @Deprecated
+    public String getAlgorithm()
+    {
+        return getSslKeyManagerFactoryAlgorithm();
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
+     * {@link #setSslTrustManagerFactoryAlgorithm(String)}
+     */
+    @Deprecated
+    public void setAlgorithm(String algorithm)
+    {
+        setSslKeyManagerFactoryAlgorithm(algorithm);
+        setSslTrustManagerFactoryAlgorithm(algorithm);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCrlPath(java.lang.String)
+     */
+    public void setCrlPath(String crlPath)
+    {
+        _crlPath = crlPath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCrlPath()
+     */
+    public String getCrlPath()
+    {
+        return _crlPath;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getMaxCertPathLength()
+     */
+    public int getMaxCertPathLength()
+    {
+        return _maxCertPathLength;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setMaxCertPathLength(int)
+     */
+    public void setMaxCertPathLength(int maxCertPathLength)
+    {
+        _maxCertPathLength = maxCertPathLength;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * Set the time in milliseconds for so_timeout during ssl handshaking
+     * @param msec a non-zero value will be used to set so_timeout during
+     * ssl handshakes. A zero value means the maxIdleTime is used instead.
+     */
+    public void setHandshakeTimeout (int msec)
+    {
+        _handshakeTimeout = msec;
+    }
+    
+
+    /* ------------------------------------------------------------ */
+    public int getHandshakeTimeout ()
+    {
+        return _handshakeTimeout;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+     */
+    public SSLContext getSslContext()
+    {
+        try
+        {
+            if (_context == null)
+                _context=createSSLContext();
+        }
+        catch(Exception e)
+        {
+            throw new RuntimeException(e);
+        }
+         
+        return _context;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setSslContext(javax.net.ssl.SSLContext)
+     */
+    public void setSslContext(SSLContext sslContext)
+    {
+        _context = sslContext;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * By default, we're confidential, given we speak SSL. But, if we've been told about an
+     * confidential port, and said port is not our port, then we're not. This allows separation of
+     * listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener
+     * configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not
+     * requiring client certs providing mere INTEGRAL constraints.
+     */
+    @Override
+    public boolean isConfidential(Request request)
+    {
+        final int confidentialPort = getConfidentialPort();
+        return confidentialPort == 0 || confidentialPort == request.getServerPort();
+    }
+    
+    /* ------------------------------------------------------------ */
+    /**
+     * By default, we're integral, given we speak SSL. But, if we've been told about an integral
+     * port, and said port is not our port, then we're not. This allows separation of listeners
+     * providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to
+     * require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring
+     * client certs providing mere INTEGRAL constraints.
+     */
+    @Override
+    public boolean isIntegral(Request request)
+    {
+        final int integralPort = getIntegralPort();
+        return integralPort == 0 || integralPort == request.getServerPort();
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * Allow the Listener a chance to customise the request. before the server does its stuff. <br>
+     * This allows the required attributes to be set for SSL requests. <br>
+     * The requirements of the Servlet specs are:
+     * <ul>
+     * <li> an attribute named "javax.servlet.request.ssl_id" of type String (since Spec 3.0).</li>
+     * <li> an attribute named "javax.servlet.request.cipher_suite" of type String.</li>
+     * <li> an attribute named "javax.servlet.request.key_size" of type Integer.</li>
+     * <li> an attribute named "javax.servlet.request.X509Certificate" of type
+     * java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate,
+     * the order of this array is defined as being in ascending order of trust. The first
+     * certificate in the chain is the one set by the client, the next is the one used to
+     * authenticate the first, and so on. </li>
+     * </ul>
+     * 
+     * @param endpoint The Socket the request arrived on. 
+     *        This should be a {@link SocketEndPoint} wrapping a {@link SSLSocket}.
+     * @param request HttpRequest to be customised.
+     */
+    @Override
+    public void customize(EndPoint endpoint, Request request)
+        throws IOException
+    {
+        super.customize(endpoint, request);
+        request.setScheme(HttpSchemes.HTTPS);
+        
+        SocketEndPoint socket_end_point = (SocketEndPoint)endpoint;
+        SSLSocket sslSocket = (SSLSocket)socket_end_point.getTransport();
+        SSLSession sslSession = sslSocket.getSession();
+
+        SslCertificates.customize(sslSession,endpoint,request);
+    }
+    
+    /* ------------------------------------------------------------ */
+    /**
+     * @see org.eclipse.jetty.server.bio.SocketConnector#accept(int)
+     */
     @Override
     public void accept(int acceptorID)
         throws IOException, InterruptedException
@@ -186,15 +692,142 @@
     {   
         super.configure(socket);
     }
+    
 
+    @Override
+    protected void doStart() throws Exception
+    {
+        if (_context == null)
+           _context=createSSLContext();
+        
+        super.doStart();
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @param host The host name that this server should listen on
+     * @param port the port that this server should listen on 
+     * @param backlog See {@link ServerSocket#bind(java.net.SocketAddress, int)}
+     * @return A new {@link ServerSocket socket object} bound to the supplied address with all other
+     * settings as per the current configuration of this connector. 
+     * @see #setWantClientAuth(boolean)
+     * @see #setNeedClientAuth(boolean)
+     * @exception IOException
+     */
+    @Override
+    protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
+    {
+        SSLServerSocketFactory factory = null;
+        SSLServerSocket socket = null;
+
+        try
+        { 
+            factory = createFactory();
+
+            socket = (SSLServerSocket) (host==null?
+                            factory.createServerSocket(port,backlog):
+                            factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
+
+            if (_wantClientAuth)
+                socket.setWantClientAuth(_wantClientAuth);
+            if (_needClientAuth)
+                socket.setNeedClientAuth(_needClientAuth);
+
+            if ((_excludeCipherSuites!=null&&_excludeCipherSuites.length>0)
+                        || (_includeCipherSuites!=null&&_includeCipherSuites.length>0))
+            {
+                List<String> includedCSList;
+                if (_includeCipherSuites!=null)
+                {
+                        includedCSList = Arrays.asList(_includeCipherSuites);
+                } else {
+                        includedCSList = new ArrayList<String>();
+                }
+                List<String> excludedCSList;
+                if (_excludeCipherSuites!=null)
+                {
+                        excludedCSList = Arrays.asList(_excludeCipherSuites);
+                } else {
+                        excludedCSList = new ArrayList<String>();
+                }
+                String[] enabledCipherSuites = socket.getEnabledCipherSuites();
+                List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
+                
+                String[] supportedCipherSuites = socket.getSupportedCipherSuites();
+                List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
+                
+                for (String cipherName : includedCSList)
+                {
+                    if ((!enabledCSList.contains(cipherName))
+                                && supportedCSList.contains(cipherName))
+                    {
+                        enabledCSList.add(cipherName);
+                    }
+                }
+
+                for (String cipherName : excludedCSList)
+                {
+                    if (enabledCSList.contains(cipherName))
+                    {
+                        enabledCSList.remove(cipherName);
+                    }
+                }
+                enabledCipherSuites = enabledCSList.toArray(new String[enabledCSList.size()]);
+
+                socket.setEnabledCipherSuites(enabledCipherSuites);
+            }
+            
+        }
+        catch (IOException e)
+        {
+            throw e;
+        }
+        catch (Exception e)
+        {
+            Log.warn(e.toString());
+            Log.debug(e);
+            throw new IOException("!JsseListener: " + e);
+        }
+        return socket;
+    }
+
+    /* ------------------------------------------------------------ */
+    protected SSLServerSocketFactory createFactory() 
+        throws Exception
+    {
+        if (_context == null)
+            _context = createSSLContext();
+        
+        return _context.getServerSocketFactory();
+    }
+    
     /* ------------------------------------------------------------ */
     protected SSLContext createSSLContext() throws Exception
     {
         KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _keystoreProvider, _password==null?null:_password.toString());
         KeyStore trustStore = getTrustStore(_truststorePath, _truststoreType, _truststoreProvider, _trustPassword == null ? null : _trustPassword.toString());
         Collection<? extends CRL> crls = loadCRL(_crlPath);
+        
+        if (_certAlias == null)
+        {
+            List<String> aliases = Collections.list(keyStore.aliases());
+            _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
+        }
 
-        KeyManager[] keyManagers = getKeyManagers(keyStore, trustStore, crls);
+        Certificate cert = _certAlias == null ? null : keyStore.getCertificate(_certAlias);
+        if (cert == null)
+        {
+            throw new Exception("No certificate found in the keystore"+
+                                (_certAlias == null ? "" : " for alias "+_certAlias));
+        }
+        
+        if (_validateCert)
+        {
+            CertificateValidator certValidator = new CertificateValidator(keyStore,trustStore,crls);
+            certValidator.validate(cert);
+        }
+
+        KeyManager[] keyManagers = getKeyManagers(keyStore);
         TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
         
         SecureRandom secureRandom =
@@ -204,21 +837,10 @@
         context.init(keyManagers,trustManagers,secureRandom);
 
         return context;
-    }
-    
-    /* ------------------------------------------------------------ */
-    protected SSLServerSocketFactory createFactory() 
-        throws Exception
-    {
-        if (_context == null)
-            _context = createSSLContext();
-    	
-        return _context.getServerSocketFactory();
-    }
-    
+    }    
 
     /* ------------------------------------------------------------ */
-    protected KeyManager[] getKeyManagers(KeyStore keyStore, KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
     {
         KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
         keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
@@ -228,8 +850,7 @@
         {
             if (managers[idx] instanceof X509KeyManager)
             {
-                managers[idx] = new SslKeyManager(_keyAlias, (X509KeyManager)managers[idx], 
-                                                  new CertificateValidator(keyStore, trustStore, crls));
+                managers[idx] = new SslKeyManager(_certAlias, (X509KeyManager)managers[idx]);
             }
         }
         
@@ -283,26 +904,6 @@
         return managers;
     }
     
-    private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
-    {
-        Collection<? extends CRL> crlList = null;
-
-        InputStream in = null;
-        try {
-            in = Resource.newResource(crlPath).getInputStream();
-            crlList = CertificateFactory.getInstance("X.509").generateCRLs(in); 
-        }
-        finally
-        {
-            if (in != null)
-            {
-                in.close();
-            }
-        }
-
-        return crlList;
-    }
-
     /* ------------------------------------------------------------ */
     protected KeyStore getKeyStore(String storePath, String storeType, String storeProvider, String storePassword) throws Exception
     {
@@ -336,6 +937,7 @@
         }
     }
     
+    /* ------------------------------------------------------------ */
     protected KeyStore getTrustStore(String trustPath, String trustType, String trustProvider, String trustPassword) throws Exception
     {
         if (trustPath==null)
@@ -359,417 +961,24 @@
     }
 
     /* ------------------------------------------------------------ */
-    /**
-     * Allow the Listener a chance to customise the request. before the server does its stuff. <br>
-     * This allows the required attributes to be set for SSL requests. <br>
-     * The requirements of the Servlet specs are:
-     * <ul>
-     * <li> an attribute named "javax.servlet.request.ssl_id" of type String (since Spec 3.0).</li>
-     * <li> an attribute named "javax.servlet.request.cipher_suite" of type String.</li>
-     * <li> an attribute named "javax.servlet.request.key_size" of type Integer.</li>
-     * <li> an attribute named "javax.servlet.request.X509Certificate" of type
-     * java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate,
-     * the order of this array is defined as being in ascending order of trust. The first
-     * certificate in the chain is the one set by the client, the next is the one used to
-     * authenticate the first, and so on. </li>
-     * </ul>
-     * 
-     * @param endpoint The Socket the request arrived on. 
-     *        This should be a {@link SocketEndPoint} wrapping a {@link SSLSocket}.
-     * @param request HttpRequest to be customised.
-     */
-    @Override
-    public void customize(EndPoint endpoint, Request request)
-        throws IOException
+    private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
     {
-        super.customize(endpoint, request);
-        request.setScheme(HttpSchemes.HTTPS);
-        
-        SocketEndPoint socket_end_point = (SocketEndPoint)endpoint;
-        SSLSocket sslSocket = (SSLSocket)socket_end_point.getTransport();
-        SSLSession sslSession = sslSocket.getSession();
+        Collection<? extends CRL> crlList = null;
 
-        SslCertificates.customize(sslSession,endpoint,request);
-    }
-
-    /* ------------------------------------------------------------ */    
-    public String[] getExcludeCipherSuites() {
-        return _excludeCipherSuites;
-    }
-    
-    /* ------------------------------------------------------------ */
-    public String[] getIncludeCipherSuites()
-    {
-        return _includeCipherSuites;
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getKeystore()
-    {
-        return _keystorePath;
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getKeystoreType() 
-    {
-        return (_keystoreType);
-    }
-
-    /* ------------------------------------------------------------ */
-    public boolean getNeedClientAuth()
-    {
-        return _needClientAuth;
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getProtocol() 
-    {
-        return _sslProtocol;
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getProvider() {
-	return _sslProvider;
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getSecureRandomAlgorithm() 
-    {
-        return (this._secureRandomAlgorithm);
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getSslKeyManagerFactoryAlgorithm() 
-    {
-        return (this._sslKeyManagerFactoryAlgorithm);
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getSslTrustManagerFactoryAlgorithm() 
-    {
-        return (this._sslTrustManagerFactoryAlgorithm);
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getTruststore()
-    {
-        return _truststorePath;
-    }
-
-    /* ------------------------------------------------------------ */
-    public String getTruststoreType()
-    {
-        return _truststoreType;
-    }
-
-    /* ------------------------------------------------------------ */
-    public boolean getWantClientAuth()
-    {
-        return _wantClientAuth;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * By default, we're confidential, given we speak SSL. But, if we've been told about an
-     * confidential port, and said port is not our port, then we're not. This allows separation of
-     * listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener
-     * configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not
-     * requiring client certs providing mere INTEGRAL constraints.
-     */
-    @Override
-    public boolean isConfidential(Request request)
-    {
-        final int confidentialPort = getConfidentialPort();
-        return confidentialPort == 0 || confidentialPort == request.getServerPort();
-    }
-    
-    /* ------------------------------------------------------------ */
-    /**
-     * By default, we're integral, given we speak SSL. But, if we've been told about an integral
-     * port, and said port is not our port, then we're not. This allows separation of listeners
-     * providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to
-     * require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring
-     * client certs providing mere INTEGRAL constraints.
-     */
-    @Override
-    public boolean isIntegral(Request request)
-    {
-        final int integralPort = getIntegralPort();
-        return integralPort == 0 || integralPort == request.getServerPort();
-    }
-    
-    /* ------------------------------------------------------------ */
-    /**
-     * @param host The host name that this server should listen on
-     * @param port the port that this server should listen on 
-     * @param backlog See {@link ServerSocket#bind(java.net.SocketAddress, int)}
-     * @return A new {@link ServerSocket socket object} bound to the supplied address with all other
-     * settings as per the current configuration of this connector. 
-     * @see #setWantClientAuth(boolean)
-     * @see #setNeedClientAuth(boolean)
-     * @exception IOException
-     */
-
-    /* ------------------------------------------------------------ */
-    @Override
-    protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
-    {
-        SSLServerSocketFactory factory = null;
-        SSLServerSocket socket = null;
-
-        try
+        InputStream in = null;
+        try {
+            in = Resource.newResource(crlPath).getInputStream();
+            crlList = CertificateFactory.getInstance("X.509").generateCRLs(in); 
+        }
+        finally
         {
-            factory = createFactory();
-
-            socket = (SSLServerSocket) (host==null?
-                            factory.createServerSocket(port,backlog):
-                            factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
-
-            if (_wantClientAuth)
-                socket.setWantClientAuth(_wantClientAuth);
-            if (_needClientAuth)
-                socket.setNeedClientAuth(_needClientAuth);
-
-            if ((_excludeCipherSuites!=null&&_excludeCipherSuites.length>0)
-                	|| (_includeCipherSuites!=null&&_includeCipherSuites.length>0))
+            if (in != null)
             {
-            	List<String> includedCSList;
-                if (_includeCipherSuites!=null)
-                {
-                	includedCSList = Arrays.asList(_includeCipherSuites);
-                } else {
-                	includedCSList = new ArrayList<String>();
-                }
-                List<String> excludedCSList;
-                if (_excludeCipherSuites!=null)
-                {
-                	excludedCSList = Arrays.asList(_excludeCipherSuites);
-                } else {
-                	excludedCSList = new ArrayList<String>();
-                }
-                String[] enabledCipherSuites = socket.getEnabledCipherSuites();
-                List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
-                
-                String[] supportedCipherSuites = socket.getSupportedCipherSuites();
-                List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
-                
-            	for (String cipherName : includedCSList)
-                {
-                    if ((!enabledCSList.contains(cipherName))
-                    		&& supportedCSList.contains(cipherName))
-                    {
-                        enabledCSList.add(cipherName);
-                    }
-                }
-
-                for (String cipherName : excludedCSList)
-                {
-                    if (enabledCSList.contains(cipherName))
-                    {
-                        enabledCSList.remove(cipherName);
-                    }
-                }
-                enabledCipherSuites = enabledCSList.toArray(new String[enabledCSList.size()]);
-
-                socket.setEnabledCipherSuites(enabledCipherSuites);
+                in.close();
             }
-            
         }
-        catch (IOException e)
-        {
-            throw e;
-        }
-        catch (Exception e)
-        {
-            Log.warn(e.toString());
-            Log.debug(e);
-            throw new IOException("!JsseListener: " + e);
-        }
-        return socket;
-    }
 
-    /* ------------------------------------------------------------ */
-    /** 
-     * 
-     */
-    public void setExcludeCipherSuites(String[] cipherSuites) {
-        this._excludeCipherSuites = cipherSuites;
-    }
-
-    /* ------------------------------------------------------------ */
-    public void setIncludeCipherSuites(String[] cipherSuites)
-    {
-        this._includeCipherSuites=cipherSuites;
-    }
-
-    /* ------------------------------------------------------------ */
-    public void setKeyPassword(String password)
-    {
-        _keyPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @param keystore The resource path to the keystore, or null for built in keystores.
-     */
-    public void setKeystore(String keystore)
-    {
-        _keystorePath = keystore;
-    }
-
-    /* ------------------------------------------------------------ */
-    public void setKeystoreType(String keystoreType) 
-    {
-        _keystoreType = keystoreType;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * Set the value of the needClientAuth property
-     * 
-     * @param needClientAuth true iff we require client certificate authentication.
-     */
-    public void setNeedClientAuth(boolean needClientAuth)
-    {
-        _needClientAuth = needClientAuth;
-    }
-    
-    /* ------------------------------------------------------------ */
-    public void setPassword(String password)
-    {
-        _password = Password.getPassword(PASSWORD_PROPERTY,password,null);
-    }
-    
-    /* ------------------------------------------------------------ */
-    public void setTrustPassword(String password)
-    {
-        _trustPassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
-    }
-
-    /* ------------------------------------------------------------ */
-    public void setProtocol(String protocol) 
-    {
-        _sslProtocol = protocol;
-    }
-
-    /* ------------------------------------------------------------ */
-    public void setProvider(String _provider) {
-	this._sslProvider = _provider;
-    }
-
-    /* ------------------------------------------------------------ */
-    public void setSecureRandomAlgorithm(String algorithm) 
-    {
-        this._secureRandomAlgorithm = algorithm;
-    }
-
-    /* ------------------------------------------------------------ */
-    public void setSslKeyManagerFactoryAlgorithm(String algorithm) 
-    {
-        this._sslKeyManagerFactoryAlgorithm = algorithm;
-    }
-    
-    /* ------------------------------------------------------------ */
-    public void setSslTrustManagerFactoryAlgorithm(String algorithm) 
-    {
-        this._sslTrustManagerFactoryAlgorithm = algorithm;
-    }
-
-
-    public void setTruststore(String truststore)
-    {
-        _truststorePath = truststore;
-    }
-    
-
-    public void setTruststoreType(String truststoreType)
-    {
-        _truststoreType = truststoreType;
-    }
-    
-    public void setSslContext(SSLContext sslContext)
-    {
-    	_context = sslContext;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
-     */
-    public SSLContext getSslContext()
-    {
-        try
-        {
-            if (_context == null)
-                _context=createSSLContext();
-        }
-        catch(Exception e)
-        {
-            throw new RuntimeException(e);
-        }
-         
-        return _context;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * Set the value of the _wantClientAuth property. This property is used 
-     * internally when opening server sockets.
-     * 
-     * @param wantClientAuth true if we want client certificate authentication.
-     * @see SSLServerSocket#setWantClientAuth
-     */
-    public void setWantClientAuth(boolean wantClientAuth)
-    {
-        _wantClientAuth = wantClientAuth;
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * Set the time in milliseconds for so_timeout during ssl handshaking
-     * @param msec a non-zero value will be used to set so_timeout during
-     * ssl handshakes. A zero value means the maxIdleTime is used instead.
-     */
-    public void setHandshakeTimeout (int msec)
-    {
-        _handshakeTimeout = msec;
-    }
-    
-
-    /* ------------------------------------------------------------ */
-    public int getHandshakeTimeout ()
-    {
-        return _handshakeTimeout;
-    }
-
-    public void setKeystoreProvider(String keystoreProvider)
-    {
-        _keystoreProvider = keystoreProvider;
-    }
-
-    public String getKeystoreProvider()
-    {
-        return _keystoreProvider;
-    }
-
-    public void setTruststoreProvider(String truststoreProvider)
-    {
-        _truststoreProvider = truststoreProvider;
-    }
-
-    public String getTruststoreProvider()
-    {
-        return _truststoreProvider;
-    }
-
-    public void setCrlPath(String crlPath)
-    {
-        _crlPath = crlPath;
-    }
-
-    public String getCrlPath()
-    {
-        return _crlPath;
+        return crlList;
     }
 
     /* ------------------------------------------------------------ */
@@ -835,26 +1044,4 @@
             } 
         }
     }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * Unsupported.
-     * 
-     * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
-     */
-    public String getAlgorithm()
-    {
-        throw new UnsupportedOperationException();
-    }
-
-    /* ------------------------------------------------------------ */
-    /**
-     * Unsupported.
-     * 
-     * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
-     */
-    public void setAlgorithm(String algorithm)
-    {
-        throw new UnsupportedOperationException();
-    }
 }
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslExtendedKeyManager.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslExtendedKeyManager.java
new file mode 100644
index 0000000..1bcf964
--- /dev/null
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslExtendedKeyManager.java
@@ -0,0 +1,107 @@
+// ========================================================================
+// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+// The Eclipse Public License is available at 
+// http://www.eclipse.org/legal/epl-v10.html
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+// You may elect to redistribute this code under either of these licenses. 
+// ========================================================================
+
+
+package org.eclipse.jetty.exssl;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509ExtendedKeyManager;
+
+
+/* ------------------------------------------------------------ */
+/**
+ * KeyManager to select a key with desired alias
+ */
+public class SslExtendedKeyManager extends X509ExtendedKeyManager
+{
+    private String _keyAlias;
+    private X509KeyManager _keyManager;
+
+    /* ------------------------------------------------------------ */
+    public SslExtendedKeyManager(String keyAlias, X509KeyManager keyManager) throws Exception
+    {
+        _keyAlias = keyAlias;
+        _keyManager = keyManager;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#chooseClientAlias(java.lang.String[], java.security.Principal[], java.net.Socket)
+     */
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
+    {
+        return _keyManager.chooseClientAlias(keyType, issuers, socket);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String, java.security.Principal[], java.net.Socket)
+     */
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
+    {   
+        return _keyAlias == null ?_keyManager.chooseServerAlias(keyType, issuers, socket) : _keyAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String, java.security.Principal[])
+     */
+    public String[] getClientAliases(String keyType, Principal[] issuers)
+    {
+        return _keyManager.getClientAliases(keyType, issuers);
+    }
+
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getServerAliases(java.lang.String, java.security.Principal[])
+     */
+    public String[] getServerAliases(String keyType, Principal[] issuers)
+    {
+        return _keyManager.getServerAliases(keyType, issuers);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String)
+     */
+    public X509Certificate[] getCertificateChain(String alias)
+    {
+        return _keyManager.getCertificateChain(alias);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String)
+     */
+    public PrivateKey getPrivateKey(String alias)
+    {
+        return _keyManager.getPrivateKey(alias);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509ExtendedKeyManager#chooseEngineServerAlias(java.lang.String, java.security.Principal[], javax.net.ssl.SSLEngine)
+     */
+    @Override
+    public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
+    {
+        return _keyAlias == null ? super.chooseEngineServerAlias(keyType,issuers,engine) : _keyAlias;
+    }
+}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
index 8883e8e..da468d6 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
@@ -30,15 +30,12 @@
 {
     private String _keyAlias;
     private X509KeyManager _keyManager;
-    private CertificateValidator _certValidator;
 
     /* ------------------------------------------------------------ */
-    public SslKeyManager(String keyAlias, X509KeyManager keyManager, 
-                         CertificateValidator certValidator) throws Exception
+    public SslKeyManager(String keyAlias, X509KeyManager keyManager) throws Exception
     {
         _keyAlias = keyAlias;
         _keyManager = keyManager;
-        _certValidator = certValidator;
     }
 
     /* ------------------------------------------------------------ */
@@ -56,12 +53,7 @@
      */
     public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
     {   
-        if (_keyAlias == null)
-        {
-            _keyAlias = _keyManager.chooseServerAlias(keyType, issuers, socket);
-        }
-        
-        return _keyAlias;
+        return _keyAlias == null ?_keyManager.chooseServerAlias(keyType, issuers, socket) : _keyAlias;
     }
 
     /* ------------------------------------------------------------ */
diff --git a/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/CertificateValidationTestBase.java b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/CertificateValidationTestBase.java
new file mode 100644
index 0000000..4dfa494
--- /dev/null
+++ b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/CertificateValidationTestBase.java
@@ -0,0 +1,73 @@
+package org.eclipse.jetty.exssl;
+
+import java.io.File;
+import java.security.cert.CertificateException;
+
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.junit.After;
+import org.junit.Test;
+
+public abstract class CertificateValidationTestBase
+{
+    protected Server _server;
+    protected EnhancedSslConnector _connector;
+
+    @After
+    public void tearDown()
+    {
+        try
+        {
+            _server.stop();
+            _connector = null;
+            _server = null;
+        }
+        catch (Exception ex) {}
+    }
+
+    protected void doTest(String keystore) throws Exception
+    {
+        String keypath = MavenTestingUtils.getTestResourceFile(keystore).getAbsolutePath();
+        String trustpath = new File(System.getProperty("java.home"),"./lib/security/cacerts").getAbsolutePath();
+        String crlpath = MavenTestingUtils.getTestResourceFile("crlfile.pem").getAbsolutePath();
+
+        _connector.setPort(0);
+        _connector.setValidateCert(true);
+        _connector.setKeystore(keypath);
+        _connector.setPassword("webtide");
+        _connector.setKeyPassword("webtide");
+        _connector.setTruststore(trustpath);
+        _connector.setTrustPassword("changeit");
+        _connector.setCrlPath(crlpath);
+        
+        _server = new Server();
+        _server.addConnector(_connector);
+        _server.start();
+        
+        Thread.sleep(1000);
+    }
+    
+    @Test
+    public void validCertificateTest() throws Exception
+    {
+        doTest("jetty-valid.keystore"); // certificate is valid until Jan 1, 2050
+    }
+    
+    @Test(expected = CertificateException.class)
+    public void revokedCertificateTest() throws Exception
+    {
+        doTest("jetty-revoked.keystore"); // certificate is valid until Jan 1, 2050
+    }
+
+    @Test(expected = CertificateException.class)
+    public void notvalidCertificateTest() throws Exception
+    {
+        doTest("jetty-notvalid.keystore"); // certificate is valid from Jan 1, 2049
+    }
+
+    @Test(expected = CertificateException.class)
+    public void expiredCertificateTest() throws Exception
+    {
+        doTest("jetty-expired.keystore"); // certificate is valid until Dec 31, 2000
+    }
+}
diff --git a/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSelectChannelValidationTest.java b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSelectChannelValidationTest.java
new file mode 100644
index 0000000..f02c595
--- /dev/null
+++ b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSelectChannelValidationTest.java
@@ -0,0 +1,13 @@
+package org.eclipse.jetty.exssl;
+
+import org.junit.Before;
+import org.junit.Test;
+
+public class SslSelectChannelValidationTest extends CertificateValidationTestBase
+{
+    @Before
+    public void setUp()
+    {
+        _connector = new EnhancedSslSelectChannelConnector();
+    }
+}
diff --git a/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSocketValidationTest.java b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSocketValidationTest.java
new file mode 100644
index 0000000..20b67cd
--- /dev/null
+++ b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSocketValidationTest.java
@@ -0,0 +1,13 @@
+package org.eclipse.jetty.exssl;
+
+import org.junit.Before;
+import org.junit.Test;
+
+public class SslSocketValidationTest extends CertificateValidationTestBase
+{
+    @Before
+    public void setUp()
+    {
+        _connector = new EnhancedSslSocketConnector();
+    }
+}
diff --git a/jetty-exssl/src/test/resources/crlfile.pem b/jetty-exssl/src/test/resources/crlfile.pem
new file mode 100644
index 0000000..881e0ac
--- /dev/null
+++ b/jetty-exssl/src/test/resources/crlfile.pem
@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIICDDCB9QIBATANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMSW50
+YWxpbyBJbmMuMRAwDgYDVQQLEwdXZWJ0aWRlMRMwEQYDVQQDEwpKZXR0eSBSb290
+MSYwJAYJKoZIhvcNAQkBFhd3ZWJ0aWRlLWRldkBpbnRhbGlvLmNvbRcNMTEwMjA1
+MDEyMTM3WhcNMzgwNjIzMDEyMTM3WjAUMBICAQIXDTExMDIwNTAxMjExN1qgDjAM
+MAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBBQUAA4IBAQBiXl0WWLIs0924NINb2q8s
+2vZ6S7LJPR+Ui9nb2HY1bfhA3gQG+auuYFldXbmo82PNm4+g2z1lL5pwqRWDGmjI
+tM70vj1AC5meXo0aWsl6mUpKrzw0bP7zr7UgOehWb9B4VPYGAkkbngukH+GsNW4U
++5jzOLxG5QZL1ruG2jyXdV4FIhgiALIvhts2gGTMnsGfn0EQ/u3VwrTI0dtBiUIq
+FLd/arMwRkKB1n6m6rxm9nsYsYQEBkcffIiNJUHlAh+bcx9oARnoXPeEbz1OWvYv
+zCX7IaWXzoWM3rvNbLceS137dVYnmhQRhFBMIPKFwdzycl3+qxE6fhQdBpREjCR9
+-----END X509 CRL-----
diff --git a/jetty-exssl/src/test/resources/jetty-expired.keystore b/jetty-exssl/src/test/resources/jetty-expired.keystore
new file mode 100644
index 0000000..65c0a8e
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-expired.keystore
Binary files differ
diff --git a/jetty-exssl/src/test/resources/jetty-notvalid.keystore b/jetty-exssl/src/test/resources/jetty-notvalid.keystore
new file mode 100644
index 0000000..04415c2
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-notvalid.keystore
Binary files differ
diff --git a/jetty-exssl/src/test/resources/jetty-revoked.keystore b/jetty-exssl/src/test/resources/jetty-revoked.keystore
new file mode 100644
index 0000000..d88c1df
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-revoked.keystore
Binary files differ
diff --git a/jetty-exssl/src/test/resources/jetty-valid.keystore b/jetty-exssl/src/test/resources/jetty-valid.keystore
new file mode 100644
index 0000000..c653027
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-valid.keystore
Binary files differ