Re: [josm-dev] HTTPS changes on osm.org

2015-02-22 Thread Paul Hartmann 

On 23.02.2015 01:51, Vincent Privat wrote:

I'd prefer not, regarding what happened the last time I played with this
feature:
http://josm.openstreetmap.de/ticket/10033
http://josm.openstreetmap.de/ticket/10230

Besides, it only works for Windows.


It's different in this case, as we don't need to make a web browser like 
Firefox accept a certain certificate. The problem is Java-only, so it 
should be more or less platform independent.


To add a certificate to Java you would normally use the keytool program 
to modify the file $JAVA_HOME/lib/security/cacerts.

This requires root privileges, so it is out of question for JOSM.

Alternatively one could hook into the SSL verification process by 
setting a custom implementation of the TrustManager class [1]. This 
class would have special handling code for a certain certificate and 
otherwise pass the verification to the standard handler.


This is a hack and circumvents the normal Java mechanisms. You have to 
be very careful not to introduce bugs and security problems.


I think it is not really worth it and we should switch to plain http for 
openstreetmap.org domains, if the StartSSL certificate isn't replaced.


[1] 



Paul

___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] HTTPS changes on osm.org

2015-02-22 Thread Vincent Privat 
I'd prefer not, regarding what happened the last time I played with this
feature:
http://josm.openstreetmap.de/ticket/10033
http://josm.openstreetmap.de/ticket/10230

Besides, it only works for Windows.

2015-02-23 1:44 GMT+01:00 Greg Troxel :

>
> Vincent Privat  writes:
>
> > Tonight osm.org sysadmins briefly switched to another root CA for their
> > https certificates (StartSSL), which is not included in Java Root CA
> > default list. As a direct consequence it caused download/upload errors
> for
> > all JOSM users since we enabled HTTPS access by default.
>
> Can't you somehow add that CA into JOSM so that it will be accepted as
> valid?  I don't meant to change java, but I would think a program
> calling for validation could add a trust root.
>
___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] HTTPS changes on osm.org

2015-02-22 Thread Greg Troxel 

Vincent Privat  writes:

> Tonight osm.org sysadmins briefly switched to another root CA for their
> https certificates (StartSSL), which is not included in Java Root CA
> default list. As a direct consequence it caused download/upload errors for
> all JOSM users since we enabled HTTPS access by default.

Can't you somehow add that CA into JOSM so that it will be accepted as
valid?  I don't meant to change java, but I would think a program
calling for validation could add a trust root.


pgpvOPWQytSNK.pgp
Description: PGP signature
___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

[josm-dev] HTTPS changes on osm.org

2015-02-22 Thread Vincent Privat 
Hi,
Tonight osm.org sysadmins briefly switched to another root CA for their
https certificates (StartSSL), which is not included in Java Root CA
default list. As a direct consequence it caused download/upload errors for
all JOSM users since we enabled HTTPS access by default.

This issue is discussed there:
https://github.com/openstreetmap/operations/issues/2#issuecomment-75379077

If we can't find a practical solution we'll have to disable HTTPS by
default.

I propose to postpone the February release a few days until we clarify the
situation. If we need to disable https, the sooner the better.

Cheers,
Vincent
___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev