Re: [sipX-dev] SSLHandshakeException while connecting to Google service

Thu, 29 Oct 2009 08:45:28 -0700 

>
> Solution proposed to: XX-6850 - known CAs needed in sipxconfig truststore
>
> I am thinking to create a Java Main class that will receive as parameter
> the location of a keystore file.
> When run, all certificates from given keystore will be added to sipXecs's
> keystore file (authorities.jks)
>
> java.security.KeyStore offers support for load/store certificates.
> Also KeyStore.aliases() returns all available aliases found in the given
> keystore file.
>
> If no keystore file will be sent as parameter, the java program will copy
> all certificates found in the default jdk certificates file (jssecacerts or
> cacerts) in the sipXecs's authorities.jks.
>
> This program will be executed by sipxconfig.sh just before authorities.jks
> loading.
> Also, it can be used if we will implement, at some point the UI interface
> that will be used by the end user to copy certificates from a given
> certificates file (proposed by Scott).
>
> On another thought about that - I think that there is absolutely no problem
to let sipXconfig handle default truststore adding to sipXconfig truststore.
When sipxconfig.sh starts sipXconfig doing:

exec $JavaCmd \
            $SystemProps \
            $JavaOpts \
            $TrustStoreOpts \
            -classpath "$Classpath" \
            org.mortbay.jetty.Server @sipxpbx.conf.dir@/sipxconfig-jetty.xml

It only puts TrustStore variables into JVM System properties and starts
Jetty.

System properties variables for TrustStore are:

-Djavax.net.ssl.trustStore=$TrustStore \
-Djavax.net.ssl.trustStoreType=JKS \
-Djavax.net.ssl.trustStorePassword=changeit"

The sipXconfig truststore is actually loaded only when needed and not by
Jetty start-up (org.mortbay.jetty.Server execution)

So I think that we can create a dedicated Spring bean that will provide
functionality to add certificates to a truststore. We can make an
initialization task in sipXconfig that will copy  default truststore into
ours.

Any feedback is really appreciated.
> Thanks,
> Mircea
>
>
>> D.
>>
>>
>> _______________________________________________
>> sipx-dev mailing list [email protected]
>> List Archive: http://list.sipfoundry.org/archive/sipx-dev
>> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
>> sipXecs IP PBX -- http://www.sipfoundry.org/
>>
>
>

_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/

Reply via email to