You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2005/12/05 15:06:08 UTC

[jira] Updated: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors

     [ http://issues.apache.org/jira/browse/GERONIMO-1071?page=all ]

Aaron Mulder updated GERONIMO-1071:
-----------------------------------

      Component: console
    Fix Version: 1.0

Should fix the console notes for 1.0, then bump this back as far as trying to get more features into Jetty, etc.

> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>
>          Key: GERONIMO-1071
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1071
>      Project: Geronimo
>         Type: Bug
>   Components: security, console
>     Versions: 1.0-M5
>  Environment: Win XP, Sun JDK 1.4.2_08
>     Reporter: Vamsavardhana Reddy
>      Fix For: 1.0

>
> The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS Connectors are created.
> JETTY:
> Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore while configuring SSL.  The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes SSLContext.
>      context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());
> The null 2nd parameter means "default trust material" is used.
> TOMCAT:
> Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute in the GBean configuration.  If this attribute is not present, then "default trust material" is used.
> The trusted certificates in the server keystore are not added to trusted certificates for SSL in either case.  (This is the expected behaviour). 
> The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client Auth Required" check box says, "If set, then clients connecting through this connector must supply a valid client certificate. By default, the validity is based on the CA certificates in the server keystore (need to confirm not the JVM default trust keystore)".  This is not valid.
> **default trust material = keystore file specified by "javax.net.ssl.trustStore" system property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever is available first in that order.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira