geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors
Date Fri, 14 Oct 2005 14:54:46 GMT
trust material/truststore for Jetty and Tomcat HTTPS Connectors
---------------------------------------------------------------

         Key: GERONIMO-1071
         URL: http://issues.apache.org/jira/browse/GERONIMO-1071
     Project: Geronimo
        Type: Bug
  Components: security  
    Versions: 1.0-M5    
 Environment: Win XP, Sun JDK 1.4.2_08
    Reporter: Vamsavardhana Reddy


The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS
Connectors are created.

JETTY:
Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust
material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore
while configuring SSL.  The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java
that initializes SSLContext.

     context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());

The null 2nd parameter means "default trust material" is used.

TOMCAT:
Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute
in the GBean configuration.  If this attribute is not present, then "default trust material"
is used.

The trusted certificates in the server keystore are not added to trusted certificates for
SSL in either case.  (This is the expected behaviour). 

The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client
Auth Required" check box says, "If set, then clients connecting through this connector must
supply a valid client certificate. By default, the validity is based on the CA certificates
in the server keystore (need to confirm not the JVM default trust keystore)".  This is not
valid.

**default trust material = keystore file specified by "javax.net.ssl.trustStore" system property
or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever
is available first in that order.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message