[jira] Updated: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors

Mon, 05 Dec 2005 06:06:32 -0800 

     [ http://issues.apache.org/jira/browse/GERONIMO-1071?page=all ]

Aaron Mulder updated GERONIMO-1071:
-----------------------------------

      Component: console
    Fix Version: 1.0

Should fix the console notes for 1.0, then bump this back as far as trying to 
get more features into Jetty, etc.

> trust material/truststore for Jetty and Tomcat HTTPS Connectors
> ---------------------------------------------------------------
>
>          Key: GERONIMO-1071
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1071
>      Project: Geronimo
>         Type: Bug
>   Components: security, console
>     Versions: 1.0-M5
>  Environment: Win XP, Sun JDK 1.4.2_08
>     Reporter: Vamsavardhana Reddy
>      Fix For: 1.0

>
> The following behaviour is noticed regarding trusted certificates in 
> SSLContext when HTTPS Connectors are created.
> JETTY:
> Jetty HTTPS Connector does not provide a way to specify a trustStore.  The 
> "default trust material"** is used always.  (Infact, Jetty does not provide a 
> way to specify a trustStore while configuring SSL.  The following is the code 
> in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes 
> SSLContext.
>      context.init(keyManagerFactory.getKeyManagers(), null, new 
> java.security.SecureRandom());
> The null 2nd parameter means "default trust material" is used.
> TOMCAT:
> Tomcat HTTPS Connector provides a way to specify trustStore using 
> "truststoreFileName" attribute in the GBean configuration.  If this attribute 
> is not present, then "default trust material" is used.
> The trusted certificates in the server keystore are not added to trusted 
> certificates for SSL in either case.  (This is the expected behaviour). 
> The comment in Geronimo Console in edit HTTPS Connector configuration page 
> under the "Client Auth Required" check box says, "If set, then clients 
> connecting through this connector must supply a valid client certificate. By 
> default, the validity is based on the CA certificates in the server keystore 
> (need to confirm not the JVM default trust keystore)".  This is not valid.
> **default trust material = keystore file specified by 
> "javax.net.ssl.trustStore" system property or 
> <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, 
> whichever is available first in that order.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to