dev@glassfish.java.net

Re: Firefox 3, self-signed certificates and GlassFish v3 Prelude ...

From: Lloyd Chambers <Lloyd.Chambers_at_Sun.COM>
Date: Mon, 25 Aug 2008 10:13:44 -0700

Browsers ship with trusted CAs certificates.

If a cacert.org is not in the browser list, then it's "unknown".

..............................................
Lloyd Chambers
lloyd.chambers_at_sun.com
GlassFish team, admin




On Aug 23, 2008, at 9:57 PM, Kedar Mhaswade wrote:

> To add to this, a certificate signed by http://cacert.org is also
> treated as a certificate signed by "unknown" issuer!
>
> I thought cacert.org was a reliable issuing authority.
>
> - Kedar
>
> Kedar Mhaswade wrote:
>> It is difficult to take sides in the debate over how Ff3 handles
>> the self-signed certificates.
>> See: http://royal.pingdom.com/?p=339
>> The bottom line is the default certificate (aliased "s1as") that
>> GlassFish v3 Prelude server sends to browser (upon being contacted
>> on a secure http port) looks "ugly" in Firefox 3 and IE-7. The
>> inexperienced users are going to be confused because of that. And
>> there's nothing we can do about it.
>> I am in the process of checking in new self-signed certificate that
>> removes something like "lauterbie.sfbay.sun.com" from its DN and
>> cleans
>> it up. Is there anything I can do to improve the situation?
>> Note -- it's not really about security. Knowledgeable admins will
>> take care of installing correct certificate. It's the question of
>> usability especially with developers that I want to know your
>> opinions about.
>> Thanks,
>> Kedar
>> PS - There is yet another issue in that all default domains installed
>> by all the users who install GF v3 Prelude (e.g. web.zip) will have
>> exactly same default server certificate, because of the way it is
>> currently
>> set up. I hope it is not a security breach for a developer product.
>> Frankly,
>> generating a certificate anew is not user friendly.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.