[
https://issues.apache.org/jira/browse/DERBY-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12508206
]
Rick Hillegas commented on DERBY-2803:
--------------------------------------
Thanks, Bernt. I think this is a big improvement and will help customers take
advantage of this feature. We are down to copyediting nits now:
1) In the Admin guide, the top page for this feature is titled "Network
encryption and authentication with SSL/TLS" now. That's great. A corresponding
change needs to be made to the table of contents. There the top level page is
still called "SSL/TLS".
2) Some typos in the Admin guide on the page titled "Running the client with
SSL/TLS":
a) The phrase "If the server does client authetication" should read "If the
server does client authentication"
b) The heading "Running the client when both parties does peer authentication"
should read "Running the client when both parties do peer authentication"
3) A little grammar sanding in the Developer's guide section titled "Derby and
Security": The phrase "in Derby Server and Administration Guide" would read
more smoothly as "in the Derby Server and Administration Guide"
4) Same comment in the Reference guide section titled "ssl=sslMode attribute"
Thanks!
> SSL certificate authentication succeeds unexpectedly
> ----------------------------------------------------
>
> Key: DERBY-2803
> URL: https://issues.apache.org/jira/browse/DERBY-2803
> Project: Derby
> Issue Type: Bug
> Components: Documentation, Security
> Affects Versions: 10.3.0.0
> Reporter: Rick Hillegas
> Assignee: Bernt M. Johnsen
> Fix For: 10.3.1.1, 10.4.0.0
>
> Attachments: DERBY-2803-v2.diff, DERBY-2803-v2.stat,
> DERBY-2803-v2.zip, DERBY-2803.diff, DERBY-2803.stat, DERBY-2803.zip
>
>
> The following bug report may simply be pilot error. I confess that I am
> having a hard time understanding the user documentation for this feature. The
> user documentation is found in the Derby Admin guide in the section titled
> "SSL/TLS". My confusion arises from the fact that sometimes the documentation
> talks about 3 SSL states (none, basic, peer) and sometimes the documentation
> talks about 4 SSL states (none, basic, client certificate, server
> certificate).
> I tried running an experiment in which the server was setup for "Basic SSL
> encryption":
> 1) I successfully connected to the server when the client was setup for
> "Basic SSL encryption". This I expected so good.
> 2) I also successfully connected to the server when the client was setup for
> "peer (server) authentication". This confused me because the client url was
> requesting peer authentication but the server was booted with just basic ssl
> authentication. That is, the client url requested "ssl=peerAuthentication"
> but the server startup line requested "ssl=basic". I was surprised that the
> two sides of the connection didn't have to agree on how much authentication
> was going to be done.
> 3) I also successfully connected to the server when the client was setup for
> "peer authentication on both sides". This really confused me: It seemed to me
> that there were 2 certificates involved, but the server, via its startup
> properties, should only have been aware of one of these certificates, viz.,
> the certificate identified by the javax.net.ssl.keyStore properties.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
