tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Loai Abdallatif <loai.abdalla...@gmail.com>
Subject Re: SSL on Tomcat
Date Tue, 02 Oct 2018 07:06:46 GMT
Thanks Chris, Luis

On Tue, Oct 2, 2018 at 10:00 AM Luis Rodríguez Fernández <uo67113@gmail.com>
wrote:

> Hello Christopher,
>
> It makes sense, thank you very much for your advice!
>
> Cheers,
>
> Luis
>
> El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (<
> chris@christopherschultz.net>) escribió:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Luis,
> >
> > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote:
> > > Agree with Christopher, you have to fix your client. Just get the
> > > root Certificate Authority public key and import it in your client
> > > truststore.
> >
> > I'd recommend trusting the finest-grained cert you can get away with.
> > That might not always be the root CA cert. It might be the server's
> > cert directly.
> >
> > > If you did not change it the client (java) the default keystore is
> > > located in  $JAVA_HOME/jre/lib/security/cacerts. Something like:
> > >
> > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
> > > -storepass trust_store_password_here -alias Root -import -file
> > > the_downloaded_ca.crt
> > >
> > > The default password for cacerts is changeit
> >
> > FWIW, I wouldn't recommend changing the JVM's trust store. I say so
> > for two reasons:
> >
> > 1. You will be trusting that certificate for ALL JVMS LAUNCHED
> > AFTERWARD. Perhaps you don't want some other service to trust your
> > 192.168.1.120 certificate when it's only supposed to be used with a
> > single client service.
> >
> > 2. You will have to remember to update the trust store every time you
> > change your Java installation. That means upgrades, downgrades, etc.
> >
> > The best way to do this IMO is to create a trust store specific for
> > that service (client) and use it EXPLICITLY.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
> > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
> > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
> > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
> > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
> > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
> > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
> > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
> > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
> > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
> > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
> > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
> > =okQm
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message