Re: [PROPOSAL] Tomcat 10: change default certificateKeystoreType and truststoreType from JKS to PKCS12
On Tue, Jan 28, 2020 at 12:07 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > The subject says it all. > > Java 9 is changing the default keystore type from JKS to PKCS12 and > deprecating the use of JKS. > > Do we know what version of Java Tomcat 10 will require? I suspect it > will be Java 9, so it will match. > > In any case, PKCS12 is a better format overall and it's very early in > the Tomcat 10 lifecycle, so I think it's the right time to make this mov > e. > > It looks like there is no default type for the trust store type > (unless javax.net.ssl.trustStoreType has a default value), so I would > propose that we also set that default type to PKCS12. > +1 :D > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wakwACgkQHPApP6U8 > pFg54hAAvtOwO8sGYHfllwEcQakaacJ6DvTG9YMb+mX3WvZVLPfQAv/Zn5ReV8fu > 1tOd3Hux1W/CoYKiO4cMKjxn4mwO3/5lukYzNg1KtmsBpnqA15rUsci5VsivXMvR > ylZkWLxt9TprcVc79cvlUrtj+xYTdiYv7p/YXGSh7JDSeSrqipGItW+QDKIH8kmg > jNlgj67Gy2gCqGPIu/CZQgDQBn7nSWcaeB1U2WITFAKQhgCv+mCzEm6+oLrHhN9q > IDBFqD7QlRSDRRAQTBgpnpaj2m/B5dBkXGMGMtRwkzx0IU6jO2nlWUkTmSFYn+js > CneqphJ7szLj9JdbNUHrtBMxojDeJTejtigCTsnd+1DJEIoYJCOuy1D4e0V9eEiA > kpaP5gsG6tN7fyk3E1w7xtmEq6dTPcNYv731RDMOC3WIQcBXxOQ5cFKhfxeWZBrZ > mkdjksDoCizWLcmKA3p4xwNBsvi7qnOReq7TZfL1U/Lp39d/ncSxpTPxucOi5k5T > PlJncwNsZA1tThfFjMlANXeYAeh74ajdMWAcRoIIzP09wyIQP2/pI6msBsQ6mr1j > MOOt6b25XO9RgJBn/EYBlVKYjULdDSBd/ojcc92wZONhw8uqt6Ly7Xrj4t3eFQ4e > EdjKPawmDhyZZ/B9IYC9p7doRuni26eBWx7wGkqQM3TqIn0Rc9k= > =zoYm > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: [PROPOSAL] Tomcat 10: change default certificateKeystoreType and truststoreType from JKS to PKCS12
On Tue, Jan 28, 2020 at 7:07 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > The subject says it all. > > Java 9 is changing the default keystore type from JKS to PKCS12 and > deprecating the use of JKS. > > Do we know what version of Java Tomcat 10 will require? I suspect it > will be Java 9, so it will match. > > In any case, PKCS12 is a better format overall and it's very early in > the Tomcat 10 lifecycle, so I think it's the right time to make this mov > e. > > It looks like there is no default type for the trust store type > (unless javax.net.ssl.trustStoreType has a default value), so I would > propose that we also set that default type to PKCS12. > +1 > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wakwACgkQHPApP6U8 > pFg54hAAvtOwO8sGYHfllwEcQakaacJ6DvTG9YMb+mX3WvZVLPfQAv/Zn5ReV8fu > 1tOd3Hux1W/CoYKiO4cMKjxn4mwO3/5lukYzNg1KtmsBpnqA15rUsci5VsivXMvR > ylZkWLxt9TprcVc79cvlUrtj+xYTdiYv7p/YXGSh7JDSeSrqipGItW+QDKIH8kmg > jNlgj67Gy2gCqGPIu/CZQgDQBn7nSWcaeB1U2WITFAKQhgCv+mCzEm6+oLrHhN9q > IDBFqD7QlRSDRRAQTBgpnpaj2m/B5dBkXGMGMtRwkzx0IU6jO2nlWUkTmSFYn+js > CneqphJ7szLj9JdbNUHrtBMxojDeJTejtigCTsnd+1DJEIoYJCOuy1D4e0V9eEiA > kpaP5gsG6tN7fyk3E1w7xtmEq6dTPcNYv731RDMOC3WIQcBXxOQ5cFKhfxeWZBrZ > mkdjksDoCizWLcmKA3p4xwNBsvi7qnOReq7TZfL1U/Lp39d/ncSxpTPxucOi5k5T > PlJncwNsZA1tThfFjMlANXeYAeh74ajdMWAcRoIIzP09wyIQP2/pI6msBsQ6mr1j > MOOt6b25XO9RgJBn/EYBlVKYjULdDSBd/ojcc92wZONhw8uqt6Ly7Xrj4t3eFQ4e > EdjKPawmDhyZZ/B9IYC9p7doRuni26eBWx7wGkqQM3TqIn0Rc9k= > =zoYm > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: [PROPOSAL] Tomcat 10: change default certificateKeystoreType and truststoreType from JKS to PKCS12
Am 2020-01-28 um 18:07 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, The subject says it all. Java 9 is changing the default keystore type from JKS to PKCS12 and deprecating the use of JKS. Do we know what version of Java Tomcat 10 will require? I suspect it will be Java 9, so it will match. In any case, PKCS12 is a better format overall and it's very early in the Tomcat 10 lifecycle, so I think it's the right time to make this mov e. It looks like there is no default type for the trust store type (unless javax.net.ssl.trustStoreType has a default value), so I would propose that we also set that default type to PKCS12. Brilliant proposal. +1 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: change default certificateKeystoreType and truststoreType from JKS to PKCS12
On Tue, Jan 28, 2020 at 6:07 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > The subject says it all. > > Java 9 is changing the default keystore type from JKS to PKCS12 and > deprecating the use of JKS. > > Do we know what version of Java Tomcat 10 will require? I suspect it > will be Java 9, so it will match. > No, it's Java 8. Later on the Tomcat 10 branch will move to Jakarta EE 10, which may up the requirement to Java 9. When that's done, your change would be fully aligned. > > In any case, PKCS12 is a better format overall and it's very early in > the Tomcat 10 lifecycle, so I think it's the right time to make this mov > e. > > It looks like there is no default type for the trust store type > (unless javax.net.ssl.trustStoreType has a default value), so I would > propose that we also set that default type to PKCS12. > Tomcat 10.0 is not a really useful release, it's only a preparation for Tomcat 10.x so I think you can have fun ;) Rémy > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wakwACgkQHPApP6U8 > pFg54hAAvtOwO8sGYHfllwEcQakaacJ6DvTG9YMb+mX3WvZVLPfQAv/Zn5ReV8fu > 1tOd3Hux1W/CoYKiO4cMKjxn4mwO3/5lukYzNg1KtmsBpnqA15rUsci5VsivXMvR > ylZkWLxt9TprcVc79cvlUrtj+xYTdiYv7p/YXGSh7JDSeSrqipGItW+QDKIH8kmg > jNlgj67Gy2gCqGPIu/CZQgDQBn7nSWcaeB1U2WITFAKQhgCv+mCzEm6+oLrHhN9q > IDBFqD7QlRSDRRAQTBgpnpaj2m/B5dBkXGMGMtRwkzx0IU6jO2nlWUkTmSFYn+js > CneqphJ7szLj9JdbNUHrtBMxojDeJTejtigCTsnd+1DJEIoYJCOuy1D4e0V9eEiA > kpaP5gsG6tN7fyk3E1w7xtmEq6dTPcNYv731RDMOC3WIQcBXxOQ5cFKhfxeWZBrZ > mkdjksDoCizWLcmKA3p4xwNBsvi7qnOReq7TZfL1U/Lp39d/ncSxpTPxucOi5k5T > PlJncwNsZA1tThfFjMlANXeYAeh74ajdMWAcRoIIzP09wyIQP2/pI6msBsQ6mr1j > MOOt6b25XO9RgJBn/EYBlVKYjULdDSBd/ojcc92wZONhw8uqt6Ly7Xrj4t3eFQ4e > EdjKPawmDhyZZ/B9IYC9p7doRuni26eBWx7wGkqQM3TqIn0Rc9k= > =zoYm > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: [PROPOSAL] Tomcat 10: change default certificateKeystoreType and truststoreType from JKS to PKCS12
On 28/01/2020 17:07, Christopher Schultz wrote: > All, > > The subject says it all. > > Java 9 is changing the default keystore type from JKS to PKCS12 and > deprecating the use of JKS. > > Do we know what version of Java Tomcat 10 will require? Java 8. > I suspect it > will be Java 9, so it will match. Oh well... > In any case, PKCS12 is a better format overall and it's very early in > the Tomcat 10 lifecycle, so I think it's the right time to make this mov > e. My primary concern is backwards compatibility but users using JKS are going to have to make the change at some point so it is really a question of when. And Tomcat 10 does seem like as good a time as any. > It looks like there is no default type for the trust store type > (unless javax.net.ssl.trustStoreType has a default value), so I would > propose that we also set that default type to PKCS12. No objections here. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PROPOSAL] Tomcat 10: change default certificateKeystoreType and truststoreType from JKS to PKCS12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, The subject says it all. Java 9 is changing the default keystore type from JKS to PKCS12 and deprecating the use of JKS. Do we know what version of Java Tomcat 10 will require? I suspect it will be Java 9, so it will match. In any case, PKCS12 is a better format overall and it's very early in the Tomcat 10 lifecycle, so I think it's the right time to make this mov e. It looks like there is no default type for the trust store type (unless javax.net.ssl.trustStoreType has a default value), so I would propose that we also set that default type to PKCS12. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wakwACgkQHPApP6U8 pFg54hAAvtOwO8sGYHfllwEcQakaacJ6DvTG9YMb+mX3WvZVLPfQAv/Zn5ReV8fu 1tOd3Hux1W/CoYKiO4cMKjxn4mwO3/5lukYzNg1KtmsBpnqA15rUsci5VsivXMvR ylZkWLxt9TprcVc79cvlUrtj+xYTdiYv7p/YXGSh7JDSeSrqipGItW+QDKIH8kmg jNlgj67Gy2gCqGPIu/CZQgDQBn7nSWcaeB1U2WITFAKQhgCv+mCzEm6+oLrHhN9q IDBFqD7QlRSDRRAQTBgpnpaj2m/B5dBkXGMGMtRwkzx0IU6jO2nlWUkTmSFYn+js CneqphJ7szLj9JdbNUHrtBMxojDeJTejtigCTsnd+1DJEIoYJCOuy1D4e0V9eEiA kpaP5gsG6tN7fyk3E1w7xtmEq6dTPcNYv731RDMOC3WIQcBXxOQ5cFKhfxeWZBrZ mkdjksDoCizWLcmKA3p4xwNBsvi7qnOReq7TZfL1U/Lp39d/ncSxpTPxucOi5k5T PlJncwNsZA1tThfFjMlANXeYAeh74ajdMWAcRoIIzP09wyIQP2/pI6msBsQ6mr1j MOOt6b25XO9RgJBn/EYBlVKYjULdDSBd/ojcc92wZONhw8uqt6Ly7Xrj4t3eFQ4e EdjKPawmDhyZZ/B9IYC9p7doRuni26eBWx7wGkqQM3TqIn0Rc9k= =zoYm -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org