Re: [equinox-dev] update site tests pass AND linux + .keyring file quest

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [equinox-dev] update site tests pass AND linux + .keyring file question

From: "Matt Flaherty" <mwflaher@xxxxxxxxxx>
Date: Thu, 8 May 2008 16:31:07 -0400
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/equinox-dev>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>

Yes, hopefully OpenJDK will behave in the same way as the other popular JREs - /lib/security/cacerts. In effect, the location of cacerts is a defacto API. It would be nice if there was API to get/set the system code signature verification certs as a KeyStore object (or at least the path and type as properties), but I've not seen anything like that in any JRE.

Also worth noting is that the implementation of the system certificate store used for SSL can be replaced using the TrustManagerFactorySpi, and the behaviour of the default JSSE provider can be modified by:

javax.net.ssl.trustStore=<path to certs keystore>
javax.net.ssl.trustStoreType=<type of keystore>
javax.net.ssl.trustStorePassword=<password>

-matt

From:	John Arthorne <John_Arthorne@xxxxxxxxxx>
To:	Equinox development mailing list <equinox-dev@xxxxxxxxxxx>
Date:	05/08/2008 09:48 AM
Subject:	Re: [equinox-dev] update site tests pass AND linux + .keyring file question

I think you may be referring to the certificate store problem when using OpenJDK. The capsule summary is that Equinox Security is looking in a particular location for the JRE's "cacerts" file that lists the known trusted certificate roots. OpenJDK was storing this cacerts file in a different place, so Equinox Security did not find it, and thus all certificates appeared to be untrusted. I believe the OpenJDK is fixing this on their side, so that Equinox Security will correctly find the cacerts file. I can't recall if the solution involved just moving the file to a different location, or setting some system property to allow the file to be found. Does this sound like the issue you are referring to?

John

Jed Anderson <jed.anderson@xxxxxxxxxxxx>
Sent by: equinox-dev-bounces@xxxxxxxxxxx

05/07/2008 09:07 PM

Please respond to
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>

To	equinox-dev@xxxxxxxxxxx
cc
Subject	[equinox-dev] update site tests pass AND linux + .keyring file question

Hi all, As promised during the p2 dev call, we've run our update site tests and are happy to announce that everything passed! During the p2 dev call there was talk of linux + .keyring failures and a recent solution. Can anybody jump in an fill in the details for us? Thanks, jkca _______________________________________________ equinox-dev mailing list equinox-dev@xxxxxxxxxxxhttps://dev.eclipse.org/mailman/listinfo/equinox-dev
_______________________________________________ equinox-dev mailing list equinox-dev@xxxxxxxxxxxhttps://dev.eclipse.org/mailman/listinfo/equinox-dev

Follow-Ups:
- Re: [equinox-dev] update site tests pass AND linux + .keyring file question
  - From: Jim Colson

References:
- [equinox-dev] update site tests pass AND linux + .keyring file question
  - From: Jed Anderson
- Re: [equinox-dev] update site tests pass AND linux + .keyring file question
  - From: John Arthorne

Prev by Date: Re: [equinox-dev] [prov] Eclipse 3.3 extension locations
Next by Date: Re: [equinox-dev] update site tests pass AND linux + .keyring file question
Previous by thread: Re: [equinox-dev] update site tests pass AND linux + .keyring file question
Next by thread: Re: [equinox-dev] update site tests pass AND linux + .keyring file question
Index(es):
- Date
- Thread

Breadcrumbs