geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors
Date Wed, 07 Dec 2005 06:22:08 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-1071?page=all ]

Aaron Mulder updated GERONIMO-1071:
-----------------------------------

    Fix Version: 1.1
                     (was: 1.0)
      Assign To: Aaron Mulder

Console descriptive text updated in revision 354734

> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>
>          Key: GERONIMO-1071
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1071
>      Project: Geronimo
>         Type: Bug
>   Components: security, console
>     Versions: 1.0-M5
>  Environment: Win XP, Sun JDK 1.4.2_08
>     Reporter: Vamsavardhana Reddy
>     Assignee: Aaron Mulder
>      Fix For: 1.1

>
> The following behaviour is noticed regarding trusted certificates in SSLContext when
HTTPS Connectors are created.
> JETTY:
> Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust
material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore
while configuring SSL.  The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java
that initializes SSLContext.
>      context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom());
> The null 2nd parameter means "default trust material" is used.
> TOMCAT:
> Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName"
attribute in the GBean configuration.  If this attribute is not present, then "default trust
material" is used.
> The trusted certificates in the server keystore are not added to trusted certificates
for SSL in either case.  (This is the expected behaviour). 
> The comment in Geronimo Console in edit HTTPS Connector configuration page under the
"Client Auth Required" check box says, "If set, then clients connecting through this connector
must supply a valid client certificate. By default, the validity is based on the CA certificates
in the server keystore (need to confirm not the JVM default trust keystore)".  This is not
valid.
> **default trust material = keystore file specified by "javax.net.ssl.trustStore" system
property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts,
whichever is available first in that order.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message