You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2005/12/05 15:06:08 UTC
[jira] Updated: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors
[ http://issues.apache.org/jira/browse/GERONIMO-1071?page=all ]
Aaron Mulder updated GERONIMO-1071:
-----------------------------------
Component: console
Fix Version: 1.0
Should fix the console notes for 1.0, then bump this back as far as trying to get more features into Jetty, etc.
> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>
> Key: GERONIMO-1071
> URL: http://issues.apache.org/jira/browse/GERONIMO-1071
> Project: Geronimo
> Type: Bug
> Components: security, console
> Versions: 1.0-M5
> Environment: Win XP, Sun JDK 1.4.2_08
> Reporter: Vamsavardhana Reddy
> Fix For: 1.0
>
> The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS Connectors are created.
> JETTY:
> Jetty HTTPS Connector does not provide a way to specify a trustStore. The "default trust material"** is used always. (Infact, Jetty does not provide a way to specify a trustStore while configuring SSL. The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes SSLContext.
> context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());
> The null 2nd parameter means "default trust material" is used.
> TOMCAT:
> Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute in the GBean configuration. If this attribute is not present, then "default trust material" is used.
> The trusted certificates in the server keystore are not added to trusted certificates for SSL in either case. (This is the expected behaviour).
> The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client Auth Required" check box says, "If set, then clients connecting through this connector must supply a valid client certificate. By default, the validity is based on the CA certificates in the server keystore (need to confirm not the JVM default trust keystore)". This is not valid.
> **default trust material = keystore file specified by "javax.net.ssl.trustStore" system property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever is available first in that order.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira