geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <>
Subject [jira] Resolved: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors
Date Wed, 26 Apr 2006 19:52:04 GMT
     [ ]
Aaron Mulder resolved GERONIMO-1071:

    Fix Version: 1.1
                     (was: 1.2)
     Resolution: Fixed

We've now overridden Jetty so we control the SSL settings, and we apply both a keystore and
trust store.

> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>          Key: GERONIMO-1071
>          URL:
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: security, console
>     Versions: 1.0-M5
>  Environment: Win XP, Sun JDK 1.4.2_08
>     Reporter: Vamsavardhana Reddy
>     Assignee: Aaron Mulder
>      Fix For: 1.1

> The following behaviour is noticed regarding trusted certificates in SSLContext when
HTTPS Connectors are created.
> Jetty HTTPS Connector does not provide a way to specify a trustStore.  The "default trust
material"** is used always.  (Infact, Jetty does not provide a way to specify a trustStore
while configuring SSL.  The following is the code in Jetty5.1.5 source
that initializes SSLContext.
>      context.init(keyManagerFactory.getKeyManagers(), null, new;
> The null 2nd parameter means "default trust material" is used.
> Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName"
attribute in the GBean configuration.  If this attribute is not present, then "default trust
material" is used.
> The trusted certificates in the server keystore are not added to trusted certificates
for SSL in either case.  (This is the expected behaviour). 
> The comment in Geronimo Console in edit HTTPS Connector configuration page under the
"Client Auth Required" check box says, "If set, then clients connecting through this connector
must supply a valid client certificate. By default, the validity is based on the CA certificates
in the server keystore (need to confirm not the JVM default trust keystore)".  This is not
> **default trust material = keystore file specified by "" system
property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts,
whichever is available first in that order.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message