On Wed, 2009-11-18 at 00:16 +0200, Mircea Mihai Carasel wrote: > > > > My point is that the default CAs can also change at any time, > and > through means other than our own updates. > > Indeed, the openssl distribution has decided to remove the > bundle of > defaults they currently distribute, so some update soon > they'll all > disappear... > You are absolutely right - Now I think I understand :). > Maybe the safe thing to do here is to simply add a page > in sipXconfig where the admin can choose a CA file and import from > there. In this way there is 100% control of what content is in > sipXconfig's authortities.jks > With regard to google needed authority - when this is not found a > simply error message will be displayed - that will indicate the admin > to first import needed CA > > What do you think ?
That's a pretty good approach. On the back end of that, the imported certificate will have to be checked for internal validity (parses correctly, dates are current, is correctly self-signed). It will also need to add the certificate in PEM format to the $SIPX_CONFDIR/ssl/authorities directory and then sync the contents of that directory into the java truststore. Big bonus points if someone figures out how to get java applications to just use the same PEM-format files that openssl uses so that we can chuck the entire keystore/truststore business. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
