You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Vamsavardhana Reddy (JIRA)" <de...@geronimo.apache.org> on 2005/10/14 16:54:46 UTC

[jira] Created: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors

trust material/truststore for Jetty and Tomcat HTTPS Connectors
---------------------------------------------------------------

         Key: GERONIMO-1071
         URL: http://issues.apache.org/jira/browse/GERONIMO-1071
     Project: Geronimo
        Type: Bug
  Components: security  
    Versions: 1.0-M5    
 Environment: Win XP, Sun JDK 1.4.2_08
    Reporter: Vamsavardhana Reddy


The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS Connectors are created.

JETTY:
Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore while configuring SSL.  The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes SSLContext.

     context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());

The null 2nd parameter means "default trust material" is used.

TOMCAT:
Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute in the GBean configuration.  If this attribute is not present, then "default trust material" is used.

The trusted certificates in the server keystore are not added to trusted certificates for SSL in either case.  (This is the expected behaviour). 

The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client Auth Required" check box says, "If set, then clients connecting through this connector must supply a valid client certificate. By default, the validity is based on the CA certificates in the server keystore (need to confirm not the JVM default trust keystore)".  This is not valid.

**default trust material = keystore file specified by "javax.net.ssl.trustStore" system property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever is available first in that order.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Updated: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors

Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
     [ http://issues.apache.org/jira/browse/GERONIMO-1071?page=all ]

Aaron Mulder updated GERONIMO-1071:
-----------------------------------

    Fix Version: 1.1
                     (was: 1.0)
      Assign To: Aaron Mulder

Console descriptive text updated in revision 354734

> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>
>          Key: GERONIMO-1071
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1071
>      Project: Geronimo
>         Type: Bug
>   Components: security, console
>     Versions: 1.0-M5
>  Environment: Win XP, Sun JDK 1.4.2_08
>     Reporter: Vamsavardhana Reddy
>     Assignee: Aaron Mulder
>      Fix For: 1.1

>
> The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS Connectors are created.
> JETTY:
> Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore while configuring SSL.  The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes SSLContext.
>      context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());
> The null 2nd parameter means "default trust material" is used.
> TOMCAT:
> Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute in the GBean configuration.  If this attribute is not present, then "default trust material" is used.
> The trusted certificates in the server keystore are not added to trusted certificates for SSL in either case.  (This is the expected behaviour). 
> The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client Auth Required" check box says, "If set, then clients connecting through this connector must supply a valid client certificate. By default, the validity is based on the CA certificates in the server keystore (need to confirm not the JVM default trust keystore)".  This is not valid.
> **default trust material = keystore file specified by "javax.net.ssl.trustStore" system property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever is available first in that order.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Resolved: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors

Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
     [ http://issues.apache.org/jira/browse/GERONIMO-1071?page=all ]
     
Aaron Mulder resolved GERONIMO-1071:
------------------------------------

    Fix Version: 1.1
                     (was: 1.2)
     Resolution: Fixed

We've now overridden Jetty so we control the SSL settings, and we apply both a keystore and trust store.

> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>
>          Key: GERONIMO-1071
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1071
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: security, console
>     Versions: 1.0-M5
>  Environment: Win XP, Sun JDK 1.4.2_08
>     Reporter: Vamsavardhana Reddy
>     Assignee: Aaron Mulder
>      Fix For: 1.1

>
> The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS Connectors are created.
> JETTY:
> Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore while configuring SSL.  The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes SSLContext.
>      context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());
> The null 2nd parameter means "default trust material" is used.
> TOMCAT:
> Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute in the GBean configuration.  If this attribute is not present, then "default trust material" is used.
> The trusted certificates in the server keystore are not added to trusted certificates for SSL in either case.  (This is the expected behaviour). 
> The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client Auth Required" check box says, "If set, then clients connecting through this connector must supply a valid client certificate. By default, the validity is based on the CA certificates in the server keystore (need to confirm not the JVM default trust keystore)".  This is not valid.
> **default trust material = keystore file specified by "javax.net.ssl.trustStore" system property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever is available first in that order.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Updated: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors

Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
     [ http://issues.apache.org/jira/browse/GERONIMO-1071?page=all ]

Aaron Mulder updated GERONIMO-1071:
-----------------------------------

      Component: console
    Fix Version: 1.0

Should fix the console notes for 1.0, then bump this back as far as trying to get more features into Jetty, etc.

> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>
>          Key: GERONIMO-1071
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1071
>      Project: Geronimo
>         Type: Bug
>   Components: security, console
>     Versions: 1.0-M5
>  Environment: Win XP, Sun JDK 1.4.2_08
>     Reporter: Vamsavardhana Reddy
>      Fix For: 1.0

>
> The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS Connectors are created.
> JETTY:
> Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore while configuring SSL.  The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes SSLContext.
>      context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());
> The null 2nd parameter means "default trust material" is used.
> TOMCAT:
> Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute in the GBean configuration.  If this attribute is not present, then "default trust material" is used.
> The trusted certificates in the server keystore are not added to trusted certificates for SSL in either case.  (This is the expected behaviour). 
> The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client Auth Required" check box says, "If set, then clients connecting through this connector must supply a valid client certificate. By default, the validity is based on the CA certificates in the server keystore (need to confirm not the JVM default trust keystore)".  This is not valid.
> **default trust material = keystore file specified by "javax.net.ssl.trustStore" system property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever is available first in that order.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira