Re: Remove an Always Trust permission from OpenJDK/IcedTea Plugin
I don't think I've been much help. Hi, Am Freitag, den 22.04.2011, 21:19 +0900 schrieb Joel Rees: You say options, does that mean you did or did not find the browser certificate store dialog? I did find it, but the trusted certificate was not in the list. I think it is being added at another place. But I was unable to locate it. Therefore I think that the certificate is marked trusted by OpenJDK. But I'm unable to find the default keystore. Have you tried installing the openJDK Policy Tool (GUI) and/or Monitoring and Management Console (JConsole)? Yes, but it did not help me to find the certificate store location. That's awkward. It should be possible to add and remove trusted certificates with the keytool command, but I have to specify the keystore. Any idea where OpenJDK might have it's default keystore? Or am I looking the wrong way at that problem? I think the policy tool can tell you what it's using. Then again, I thnk the command line policy tool should use the default if it's going to use the default. I also thought so, but it requires you to specify a key store location. This differs to what I found in the documentation of the oracle keytool. hmmm | Keystore Location | | Each keytool command has a -keystore option for specifying the name | and location of the persistent keystore file for the keystore managed | by keytool. The keystore is by default stored in a file | named .keystore in the user's home directory, as determined by the | user.home system property. Given user name uName, the user.home | property value defaults to | | C:\Winnt\Profiles\uName on multi-user Windows NT systems | C:\Windows\Profiles\uName on multi-user Windows 95 systems | C:\Windows on single-user Windows 95 systems | | Thus, if the user name is cathy, user.home defaults to | | C:\Winnt\Profiles\cathy on multi-user Windows NT systems | C:\Windows\Profiles\cathy on multi-user Windows 95 systems Well, that's a nice MSWindows-specific bit of help. :-( Source: http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html Yeah, MSWindows-specific. I wonder if there is a similar page for Linux. (Oracle isn't very helpful for free.) I do not have a .keystore file though. Using `find . -name *keystore*` will only give me gnome keyring's keystore, which does not hold the certificate either. I'm thinking they've hidden all that stuff in a database sort of file. In the .mozilla directory. Except that would be what the browser shows you when you check the browser's certificate list. Just gave it a try and switched to oracles JRE. That one asked me again if I want to trust the certificate. Seems that OpenJDK and SUN/Oracle JRE do not share the same keystore. Unless it got purged during the uninstall. Gone with the purge is a possibility. But still I'm not sure how to undo an Always Trust option with oracles JRE or OpenJDK. Probably these options are not meant to be undone :-) Well, yeah, TBH, the general appoach is to revoke the certificate, rather than remove it. That puts an entry in the revocation list and prevents a bad certificate from being accepted blindly again. Again, sorry I'm not much help. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktin8m2gpj3qt0hdxhn6t-wuzcbg...@mail.gmail.com
Re: Remove an Always Trust permission from OpenJDK/IcedTea Plugin
Hi, Am Freitag, den 22.04.2011, 21:19 +0900 schrieb Joel Rees: You say options, does that mean you did or did not find the browser certificate store dialog? I did find it, but the trusted certificate was not in the list. I think it is being added at another place. But I was unable to locate it. Therefore I think that the certificate is marked trusted by OpenJDK. But I'm unable to find the default keystore. Have you tried installing the openJDK Policy Tool (GUI) and/or Monitoring and Management Console (JConsole)? Yes, but it did not help me to find the certificate store location. It should be possible to add and remove trusted certificates with the keytool command, but I have to specify the keystore. Any idea where OpenJDK might have it's default keystore? Or am I looking the wrong way at that problem? I think the policy tool can tell you what it's using. Then again, I thnk the command line policy tool should use the default if it's going to use the default. I also thought so, but it requires you to specify a key store location. This differs to what I found in the documentation of the oracle keytool. | Keystore Location | |Each keytool command has a -keystore option for specifying the name | and location of the persistent keystore file for the keystore managed | by keytool. The keystore is by default stored in a file | named .keystore in the user's home directory, as determined by the | user.home system property. Given user name uName, the user.home | property value defaults to | |C:\Winnt\Profiles\uName on multi-user Windows NT systems |C:\Windows\Profiles\uName on multi-user Windows 95 systems |C:\Windows on single-user Windows 95 systems | |Thus, if the user name is cathy, user.home defaults to | |C:\Winnt\Profiles\cathy on multi-user Windows NT systems |C:\Windows\Profiles\cathy on multi-user Windows 95 systems Source: http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html I do not have a .keystore file though. Using `find . -name *keystore*` will only give me gnome keyring's keystore, which does not hold the certificate either. Just gave it a try and switched to oracles JRE. That one asked me again if I want to trust the certificate. Seems that OpenJDK and SUN/Oracle JRE do not share the same keystore. Unless it got purged during the uninstall. But still I'm not sure how to undo an Always Trust option with oracles JRE or OpenJDK. Probably these options are not meant to be undone :-) Regards, adris signature.asc Description: This is a digitally signed message part
Re: Remove an Always Trust permission from OpenJDK/IcedTea Plugin
On 2011-04-26, adris adr...@t-online.de wrote: But still I'm not sure how to undo an Always Trust option with oracles JRE or OpenJDK. Probably these options are not meant to be undone :-) In the case of Oracle's JRE, run jcontrol, click on the Security tab, then click the Certificates button. From there you can remove trusted certificates. -- Liam O'Toole Cork, Ireland -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnirdu8n.enl.liam.p.otoole@dipsy.tubbynet
Re: Remove an Always Trust permission from OpenJDK/IcedTea Plugin
On Mon, Apr 18, 2011 at 10:57 PM, adris adr...@t-online.de wrote: Hi, thanks for the help. Am Montag, den 18.04.2011, 20:34 +0900 schrieb Joel Rees: On Mon, Apr 18, 2011 at 6:06 PM, adris adr...@t-online.de wrote: Hi, how can you undo the permission Always Trust this Publisher, once you checked that box for a signed applet in Iceweasel. (Shooting from the hip, here, but, ...) I think the quickest way is to remove the corresponding certificate. You go to the settings item in the edit menu, I don't remember the name of the group in English, but it should be something like miscellaneous or high-level or advanced or something. It's not in the security, contents, program, or privacy group, where you might expect it. I'm logged into an English session now and here's where it is: Edit menu - Preferences - Advanced - (button) View Certificates There also buttons there for revocation lists and validation, which you might be interested in, and security devices. I also first thought that this certificate got installed in Iceaweasel, but I did not find it listed among all the available options. You say options, does that mean you did or did not find the browser certificate store dialog? (I'm trying to remember the pseudo-url for getting at the browser's settings that it doesn't expose via GUI interfaces, and it's not coming t mind.) I just gave it a try and removed the whole ~/.mozilla folder. Nevertheless this certificated still seems to be trusted. Yeah, I'm pretty sure that would not work. Even though the dialog is the browser's, the certificate store is not. I'm trying to remember what is where, though and I'm drawing blanks. I hate getting old. Therefore I think that the certificate is marked trusted by OpenJDK. But I'm unable to find the default keystore. Have you tried installing the openJDK Policy Tool (GUI) and/or Monitoring and Management Console (JConsole)? It should be possible to add and remove trusted certificates with the keytool command, but I have to specify the keystore. Any idea where OpenJDK might have it's default keystore? Or am I looking the wrong way at that problem? I think the policy tool can tell you what it's using. Then again, I thnk the command line policy tool should use the default if it's going to use the default. Gnome has its own keystore, for what it's worth. Sorry I'm not much help today. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktimyd3oe72j67rpeplk7rtn3f98...@mail.gmail.com
Re: Remove an Always Trust permission from OpenJDK/IcedTea Plugin
On Mon, Apr 18, 2011 at 6:06 PM, adris adr...@t-online.de wrote: Hi, how can you undo the permission Always Trust this Publisher, once you checked that box for a signed applet in Iceweasel. (Shooting from the hip, here, but, ...) I think the quickest way is to remove the corresponding certificate. You go to the settings item in the edit menu, I don't remember the name of the group in English, but it should be something like miscellaneous or high-level or advanced or something. It's not in the security, contents, program, or privacy group, where you might expect it. There will be several tabs within that advanced (or whatever) group, look for the encryption tab. Note that there's a list for invalidated certificates, and click the show certificates button. Yeah, you'll see more than a few of those certificates that you'll want to consider carefully whether you really want them in your trust list, but you should also find the certificate that has the signature that you don't want to trust after all. And you can probably delete it. There may be situations where you have a notice of invalidation, in those cases, you would want to add the invalidated certificate(s) to the list of invalidated certificates so you don't accidentally import the bad certificate later. The applet is being loaded with the IcedTea6 Plugin and run by OpenJDK-6-JRE. Another possibility is to get out the Java policy management tools and enter a policy of not trusting the signature source. I'm not remembering where they are, but they would be in the system adminstration or settings (launcher) menu, rather than in the browser's menus, I think. iceweasel 3.5.16-6 icedtea6-plugin 6b18-1.8.3-2 openjdk-6-jre 6b18-1.8.3-2+squeeze1 Thanks, adris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktik2+veibqej6f5qckkfzdsw79a...@mail.gmail.com
Re: Remove an Always Trust permission from OpenJDK/IcedTea Plugin
Hi, thanks for the help. Am Montag, den 18.04.2011, 20:34 +0900 schrieb Joel Rees: On Mon, Apr 18, 2011 at 6:06 PM, adris adr...@t-online.de wrote: Hi, how can you undo the permission Always Trust this Publisher, once you checked that box for a signed applet in Iceweasel. (Shooting from the hip, here, but, ...) I think the quickest way is to remove the corresponding certificate. You go to the settings item in the edit menu, I don't remember the name of the group in English, but it should be something like miscellaneous or high-level or advanced or something. It's not in the security, contents, program, or privacy group, where you might expect it. I also first thought that this certificate got installed in Iceaweasel, but I did not find it listed among all the available options. I just gave it a try and removed the whole ~/.mozilla folder. Nevertheless this certificated still seems to be trusted. Therefore I think that the certificate is marked trusted by OpenJDK. But I'm unable to find the default keystore. It should be possible to add and remove trusted certificates with the keytool command, but I have to specify the keystore. Any idea where OpenJDK might have it's default keystore? Or am I looking the wrong way at that problem? Thanks, Adris signature.asc Description: This is a digitally signed message part