trust material/truststore for Jetty and Tomcat HTTPS Connectors ---------------------------------------------------------------
Key: GERONIMO-1071 URL: http://issues.apache.org/jira/browse/GERONIMO-1071 Project: Geronimo Type: Bug Components: security Versions: 1.0-M5 Environment: Win XP, Sun JDK 1.4.2_08 Reporter: Vamsavardhana Reddy The following behaviour is noticed regarding trusted certificates in SSLContext when HTTPS Connectors are created. JETTY: Jetty HTTPS Connector does not provide a way to specify a trustStore. The "default trust material"** is used always. (Infact, Jetty does not provide a way to specify a trustStore while configuring SSL. The following is the code in Jetty5.1.5 source org.mortbay.http.SslListener.java that initializes SSLContext. context.init(keyManagerFactory.getKeyManagers(), null, new java.security.SecureRandom()); The null 2nd parameter means "default trust material" is used. TOMCAT: Tomcat HTTPS Connector provides a way to specify trustStore using "truststoreFileName" attribute in the GBean configuration. If this attribute is not present, then "default trust material" is used. The trusted certificates in the server keystore are not added to trusted certificates for SSL in either case. (This is the expected behaviour). The comment in Geronimo Console in edit HTTPS Connector configuration page under the "Client Auth Required" check box says, "If set, then clients connecting through this connector must supply a valid client certificate. By default, the validity is based on the CA certificates in the server keystore (need to confirm not the JVM default trust keystore)". This is not valid. **default trust material = keystore file specified by "javax.net.ssl.trustStore" system property or <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts, whichever is available first in that order. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira