You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by GitBox <gi...@apache.org> on 2021/08/28 05:49:54 UTC

[GitHub] [james-project] chibenwa opened a new pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

chibenwa opened a new pull request #625:
URL: https://github.com/apache/james-project/pull/625


   In this tread we discuss enhancements to the IMAP/POP3/SMTP cryptography: https://www.mail-archive.com/server-dev@james.apache.org/msg70772.html
   
   The need of having alternatives to the JKS keystore format was expressed and support for PKCS12 format requested.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] Arsnael commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
Arsnael commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-907991369


   > If people want to use that, it is their problem?
   
   Exactly my first point? Even if we don't want to use it personally, maybe other wants, so it should still be documented somewhere? Somebody using JKS when reading could wrongly think as well we removed it... It's confusing?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
chibenwa commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-907978858


    -> The default code still enforces `JKS` NOT to cause breaking changes. People that upgrade James will NOT have to do anything, right?
    
    -> The default configuration uses PKCS12 which is the industry standard. New users will use PKCS12 by default and this is what we want, right?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] vttranlina commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
vttranlina commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-908198339


   Can use the old keystore file `file://conf/keystore` for `PKCS12`?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] Arsnael commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
Arsnael commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-907973088


   I find that weird... You change JKS to PKCS12 in all docs, while you can allow basically both and the default in the code seems still to be JKS.
   
   I would at least put the command for both in the doc, showing both possibilities, while also saying maybe we recommend PKCS12 usage over JKS?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] Arsnael commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
Arsnael commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-907984476


   This is what we want yes. But the other way is still possible. Or say it's deprecated?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
chibenwa commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-913298259


   Force pushed to solve a conflict.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] Arsnael commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
Arsnael commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-908077545


   Last fixup answers y concerns, was just if we have an option it should be documented, even if we don't really want to use it. Maybe someone else needs it for X or Y reason :) Thanks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] Arsnael edited a comment on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
Arsnael edited a comment on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-907991369


   > If people want to use that, it is their problem?
   
   Exactly my first point? Even if we don't want to use it personally, maybe other wants, so it should still be documented somewhere? Somebody using JKS when reading this could wrongly think as well we removed it... It's confusing?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
chibenwa commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-907986572


   > Or say it's deprecated?
   
   What for?
   
   If people want to use that, it is their problem?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
chibenwa commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-907986311


   We could change so that when missing the code infers PKCS12 instead of JKS yes.
   
   However,
   
    - GIVEN that `JKS` use do not have security implications
    - And given that avoiding breaking changes is alway nice
    
    I strongly lean on the side of keeping JKS as a default when none is specified and specify PKCS12 in the default configuration so that we have the best of both worlds!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
chibenwa commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-908011485


   > Exactly my first point? Even if we don't want to use it personally, maybe other wants, so it should still be documented
   > somewhere? Somebody using JKS when reading this could wrongly think as well we removed it... It's confusing?
   
   Two cases:
   
    - `1.` People that upgrades don't need to change anything, it's completly transparent to them.
   
    - `2.` New people arriving in James will see what are their crypto options. The default configuration strongly encourage them using PKCS12 so I bet 99% will use that without further thinking, even more as it is favored nowadays. Now if they *really* want to be using JKS they will notice the keystore type speficied their and will supply the `JKS` value there.
    
   Now is what you whish : making the `JKS` value more discoverable with for instance explicitly documenting the setup of a JKS keystore for `2.` ?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
chibenwa commented on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-908238962


   >Can use the old keystore file file://conf/keystore for PKCS12?
   
   Likely not...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa merged pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
chibenwa merged pull request #625:
URL: https://github.com/apache/james-project/pull/625


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] Arsnael edited a comment on pull request #625: JAMES-3638 Allow use PKCS12 keystore for SSL

Posted by GitBox <gi...@apache.org>.
Arsnael edited a comment on pull request #625:
URL: https://github.com/apache/james-project/pull/625#issuecomment-908077545


   Last fixup answered my concerns, was just if we have an option it should be documented, even if we don't really want to use it. Maybe someone else needs it for X or Y reason :) Thanks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org