Re: [PATH] for problems with HTTPS and client certs

Thu, 18 Oct 2001 12:00:25 -0700 

Wolfgang,

setting the 'trustStore' on the command line got it to work here too.

What my patch does is setting the 'keystoreFile' (as set in the
server.xml) as trustStore.

We might want to consider adding two new config attributes
'truststoreFile' and 'truststorePasswd' and making the integration into
the SSLServerSocketFactory.

Setting the password on the command line is not a good solution security
wise.

Stefan 


Wolfgang Hoschek wrote:
> 
> Starting TC 4.0 with
> 
> CATALINA_OPTS="$CATALINA_OPTS
> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/spitfire-cacerts.jks
> -Djavax.net.ssl.trustStorePassword=changeit"
> 
> and using non-{Verisign,Thawte} cacerts, i am not seeing your problem with
> the standard SSLServerSocketFactory. Why does your patch fix the problem?
> 
> Wolfgang.
> 
> >Hey,
> >
> >here are the changes to get the HTTPS connector doing 'clientAuth' with
> >CA certs other than the ones from Verisign and Thawte. I tested it with
> >Netscape 4.77 as client and with certificates created by my own CA.
> >
> >please consider integration into Tomcat 4 source code.
> >
> >thanks
> >
> >Stefan
> >
> >
> >--- SSLServerSocketFactory.java.orig    Wed Oct 17 13:25:14 2001
> >+++ SSLServerSocketFactory.java Wed Oct 17 13:28:05 2001
> >@@ -139,7 +139,7 @@
> >      /**
> >       * The trust manager factory used with JSSE 1.0.1.
> >       */
> >-    //    TrustManagerFactory trustManagerFactory = null;
> >+    TrustManagerFactory trustManagerFactory = null;
> >
> >
> >      // -------------------------------------------------------------
> >Properties
> >@@ -474,13 +474,12 @@
> >          keyManagerFactory.init(keyStore, keystorePass.toCharArray());
> >
> >          // Create the trust manager factory used for checking
> >certificates
> >-        /*
> >-          trustManagerFactory =
> >TrustManagerFactory.getInstance(algorithm);
> >-          trustManagerFactory.init(keyStore);
> >-        */
> >+        trustManagerFactory =
> >TrustManagerFactory.getInstance(algorithm);
> >+        trustManagerFactory.init(keyStore);
> >
> >          // Initialize the context with the key managers
> >-        context.init(keyManagerFactory.getKeyManagers(), null,
> >+        context.init(keyManagerFactory.getKeyManagers(),
> >+                     trustManagerFactory.getTrustManagers(),
> >                       new java.security.SecureRandom());
> >
> >          // Create the proxy and return
> >
> >

S/MIME Cryptographic Signature

Reply via email to