Hi,
Oleksiy Stashok wrote:
> Hi,
>> Hubert Iwaniuk wrote:
>>> Hi Bruno,
>>> Issue describing changes in SSLConfig:
>>> https://grizzly.dev.java..net/issues/show_bug.cgi?id=494
>>> <https://grizzly.dev.java.net/issues/show_bug.cgi?id=494>
>>> Basically aim was to provide defaults and remove need for providing
>>> keystore and truststore if only key store was needed.
>>> Changes made to SSLConfig kept it backward compatible on interface
>>> level and relaxed restrictions put on users but allowing to configure
>>> kestore without configuring truststore.
>>
>> This makes sense. I'm not sure about the current default values,
>> though. I think it might make more sense to follow the default values
>> in
>> <http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization>.
> We're using those values as default for SSLConfig.
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html
>
> But not sure, that all of them are used though. If you have any
> suggestion for improvement - let us know :)
I'm not sure if you've seen the patch I attached to
<
https://grizzly.dev.java.net/issues/show_bug.cgi?id=494> yesterday, but
the default values that were used in the version I've changed weren't
the values of the JSSR ref. guide (there was an explicit name for the
trust store instead, for example).
As far as I can tell, the default values for JSSE in 1.4.2, 1.5.0 and
1.6 are the same, except the trust manager factory algorithm, which is
SunX509 in 1.4 and PKIX in 1.5 and 1.6. It's a problem that should be
solved in the patch, using Key/TrustManagerFactory.getDefaultAlgorithm().
I've also changed "JKS" into KeyStore.getDefaultType().
The only hard-coded default value left is "TLS", for the type of
SSLContext. I can't find any reference to a default value. This is a
reasonable default anyway and users can still set "SSLv3" (for example)
in the setter if they wish.
>> The other point I'm not sure about is the "public(Properties)" method.
>> In jSSLutils's KeyStoreLoader, I've specifically removed all the
>> getters and prevented cloning the instance so as to prevent extraction
>> of potentially sensitive information (I'm not sure which code would
>> get hold of such an instance). Exporting information such as the
>> keystore password might not be suitable (depending on how much the
>> code that may get hold of the instance can be trusted). Is it used by
>> anything in particular?
> I think public() is not being used currently.
(Sorry, this was a typo, I meant publish(Properties), but I think that's
what you understood.)
Best wishes,
Bruno.