[jira] Created: (GERONIMO-1071) trust material/truststore for Jetty and Tomcat HTTPS Connectors

Fri, 14 Oct 2005 07:55:17 -0700 

trust material/truststore for Jetty and Tomcat HTTPS Connectors
---------------------------------------------------------------

         Key: GERONIMO-1071
         URL: http://issues.apache.org/jira/browse/GERONIMO-1071
     Project: Geronimo
        Type: Bug
  Components: security  
    Versions: 1.0-M5    
 Environment: Win XP, Sun JDK 1.4.2_08
    Reporter: Vamsavardhana Reddy


The following behaviour is noticed regarding trusted certificates in SSLContext 
when HTTPS Connectors are created.

JETTY:
Jetty HTTPS Connector does not provide a way to specify a trustStore.  The 
"default trust material"** is used always.  (Infact, Jetty does not provide a 
way to specify a trustStore while configuring SSL.  The following is the code 
in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes 
SSLContext.

     context.init(keyManagerFactory.getKeyManagers(), null, new 
java.security.SecureRandom());

The null 2nd parameter means "default trust material" is used.

TOMCAT:
Tomcat HTTPS Connector provides a way to specify trustStore using 
"truststoreFileName" attribute in the GBean configuration.  If this attribute 
is not present, then "default trust material" is used.

The trusted certificates in the server keystore are not added to trusted 
certificates for SSL in either case.  (This is the expected behaviour). 

The comment in Geronimo Console in edit HTTPS Connector configuration page 
under the "Client Auth Required" check box says, "If set, then clients 
connecting through this connector must supply a valid client certificate. By 
default, the validity is based on the CA certificates in the server keystore 
(need to confirm not the JVM default trust keystore)".  This is not valid.

**default trust material = keystore file specified by 
"javax.net.ssl.trustStore" system property or 
<java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, 
whichever is available first in that order.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to