Stover, Michael wrote:
> No hurry - I'm not expecting you to fix anything, just make a comment to
> clarify them, if possible.
The first one, Bug #5710 is a user error. It may not be clear enough in
the SSLManager docs I wrote, but you must have a copy of the public key
of the site you are accessing *especially* if it does not originate from
any of the public keys that are shipped with JSSE.
The technique I use is to create a JKS KeyStore named "jssecacerts".
I place that in the ${JAVA_HOME}/jre/lib/security/ directory. The
JSSE system will pick that up before the other cacerts file.
In that keystore, you need the Certificate Authority (CA) certificate
and the site's certificate. If the site uses a self produced CA cert,
then they also have to be careful with certain attributes of the cert.
I had JSSE choking on me because the CA Cert of the site I was testing
had an attribute named OID=48.25.93.22 or something similar. JSSE does
not like an explicitly named OID with decimal points--don't use it.
The second bug, Bug #5770 I suspect to be a deficiency in the JDK that
the user is using. It can be something between his Linux kernel and
the Sun JDK code, or it can be bad JDK code.
The problem with SecureRandom is that it uses random thread timings
to produce a random result. Theorhetically it seeds the random number
generator well. Unfortunately, it is possible that the thread
contention intentionally invoked by the SecureRandom in JDK 1.4 caused
a deadlock on the user's machine.
In order to get around this problem, I suggest you make the SecureRandom
class implementation pluggable. That way we don't have to worry about
Sun's implementation. If a Linux box has a harware random noise
generator, it would be better to use that to seed the SecureRandom.
Therefore, we should be able to specify javax.secure.Random=DevRndRandom
or something similar.
The "DevRndRandom" we specified can read the first 1024 bytes from
/dev/rnd or /dev/snd (there are ways of inducing noise through the
microphone). That would be enough to get a truly randomly generated
seed.
It is possible that the BlackDown JDK has detected the bug that Sun
released and fixed it already.
>
>
>>-----Original Message-----
>>From: Berin Loritsch [mailto:[EMAIL PROTECTED]]
>>Sent: Thursday, March 07, 2002 10:40 AM
>>To: JMeter Developers List
>>Subject: Re: itchy fingers
>>
>>
>>Stover, Michael wrote:
>>
>>>Thanks Berin, I appreciate that. BTW, have you checked out
>>>
>>the bugs on
>>
>>>bugzilla that refer to SSL stuff? Maybe you could spare a
>>>
>>moment and read
>>
>>>them and just comment on them (in bugzilla) to help me
>>>
>>understand them - I
>>
>>>don't even know if they're valid bugs!
>>>
>>Ok. I will try to get to them this weekend--I have an
>>incredibly insane
>>schedule.
>>
>>
>>>-Mike
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Berin Loritsch [mailto:[EMAIL PROTECTED]]
>>>>Sent: Thursday, March 07, 2002 10:32 AM
>>>>To: JMeter Developers List
>>>>Subject: Re: itchy fingers
>>>>
>>>>
>>>>Stover, Michael wrote:
>>>>
>>>>
>>>>>I'm having difficulty restraining myself from getting to
>>>>>
>>>>>
>>>>work on JMeter
>>>>
>>>>
>>>>>wholesale. On one machine, I've already implemented
>>>>>
>>>>>
>>>>cut/copy/paste/ and Add
>>>>
>>>>
>>>>>Parent, and I'd like to add an insert ability and get rid
>>>>>
>>>>>
>>>>of the annoying
>>>>
>>>>
>>>>>"getAddList()" method from JMeterComponentModel. I've been writing
>>>>>documentation like a mad man, but there's only so much of
>>>>>
>>>>>
>>>>that I can take.
>>>>
>>>>
>>>>>Jim Boucher and I have been trying to get 1.7beta3 out the
>>>>>
>>>>>
>>>>door, with 1.7.x
>>>>
>>>>
>>>>>production release to soon follow once documentation is
>>>>>
>>done. Well,
>>
>>>>>documentation is about as done as I'm going to make it for
>>>>>
>>>>>
>>>>now, and we're
>>>>
>>>>
>>>>>still trying to get people's responses to beta3. As far as
>>>>>
>>>>>
>>>>I'm concerned,
>>>>
>>>>
>>>>>the production release is done and ready to go.
>>>>>
>>>>>Does anyone have any concerns that need to be addressed
>>>>>
>>>>>
>>>>before a release is
>>>>
>>>>
>>>>>made?
>>>>>
>>>>>
>>>>Not now. You've done an excellent job. (I just wish I
>>>>
>>could provide
>>
>>>>more help, but unfortunately I am no longer getting paid to
>>>>
>>work on it
>>
>>>>full time).
>>>>
>>>>
>>>>
>>>>
>>>>--
>>>>
>>>>"They that give up essential liberty to obtain a little
>>>>temporary safety
>>>> deserve neither liberty nor safety."
>>>> - Benjamin Franklin
>>>>
>>>>
>>>>--
>>>>To unsubscribe, e-mail:
>>>>
>>>>
>>><mailto:[EMAIL PROTECTED]>
>>>For additional commands, e-mail:
>>>
>><mailto:[EMAIL PROTECTED]>
>>
>>>--
>>>To unsubscribe, e-mail:
>>>
>><mailto:[EMAIL PROTECTED]>
>>
>>>For additional commands, e-mail:
>>>
>><mailto:[EMAIL PROTECTED]>
>>
>>>
>>
>>
>>--
>>
>>"They that give up essential liberty to obtain a little
>>temporary safety
>> deserve neither liberty nor safety."
>> - Benjamin Franklin
>>
>>
>>--
>>To unsubscribe, e-mail:
>><mailto:[EMAIL PROTECTED]>
>>For additional commands, e-mail:
>><mailto:[EMAIL PROTECTED]>
>>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
"They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
- Benjamin Franklin
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
