--- On Thu, 10/22/09, Damian Krzeminski <[email protected]> wrote:
> From: Damian Krzeminski <[email protected]> > Subject: Re: [sipX-dev] SSLHandshakeException while connecting to Google > service > To: [email protected] > Date: Thursday, October 22, 2009, 12:55 AM > George Niculae wrote: > [...] > > >>> > >> Google cert is signed by a "real" CA. So basically > what's going on > >> here - google tells us "Hey, I am Google, you can > check with important > >> CA if you don't believe". And sipXconfig says "I > do not see your > >> important CA in my cert chain, I only trust bogus > CA that we generated > >> during install". > >> > >> One way of fixing this would be adding couple of > well known CAs to our > >> truststore. (Specifically adding the one > that google is using.) > >> Aparently it's already in default java trust store > since everything > >> works if you run your code outside of sipXconfig > (to test my theory > >> you can just remove truststore param - sipXconfig > will use default, > >> replication will fail but you'll be able to import > addresses) > > > > Scott, Damian, thanks for the hints! > > > > It worked as Damian suggested - I removed the > truststore param and > > successfully imported the gmail contacts fine. > However, I am wondering > > how this will work in the real life (as suggested, > adding google CA to > > our trustore would be an option). Should I file an > issue for this and > > set it as a dependency to the one I am working on? > > > > Yes. Let's add a separate issue on it. Done - http://track.sipfoundry.org/browse/XX-6850 > I would think that the proper thing > to do is to add the default truststore content to the > truststore used by > sipXconfig (and other java application). Alternatively we > can just > distribute several well known CA certs and manage this > independently of JVM > defaults. Opinions? +1 for adding default truststore content to the sipxconfig one - why not have it directly if it comes with java... George _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
