On Thu, 2009-12-17 at 16:03 -0500, Paul Mossman wrote: > Hi all, > > Just to confirm, the patch attached to > http://track.sipfoundry.org/browse/XX-6850 is no longer required right?
That patch appears to do several things... some of them would still be useful. > My understanding is that CAs added under System -> Certificates are now > automatically put into the Java truststore (upon sipXecs reboot.) > Therefore, we no longer plan to have a "SSL Truststore" menu item. The new scheme is that CA certificates are installed by validating them and then copying them into the authorities directory. When the sipXecs service is started, all authorities in that directory are incorporated into the truststore used by Java applications (the C++ applications use the contents of the directory directly). Whether or not sipXconfig should be able to restart the entire sipXecs service, which is part of that patch, is an interesting question. It's a big hammer, but one that we need to get the Java applications to notice newly installed certificates (its own or those of CAs). > The outstanding work item for getting the import working is to have the > Google CA installed by default? We have a packaging decision to make with regard to what CA certificates (if any) we will include, and if we include any, whether they will be part of one of the sipXecs rpms or distributed in some other way. I have read in the OpenSSL project release notes (of versions we are not yet using) that they have decided not to continue including a default bundle of CA certificates in their distributions. The rationale is that installing a CA certificate is declaring a trust relationship, and that that decision it is not the proper business of an open source project. I am personally sympathetic with that view, but it does create another potential inconvenience... _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
