Qpid
  1. Qpid
  2. QPID-3739

Java properties qpid.ssl.keyStoreCertType and qpid.ssl.trustStoreCertType have misleading names and would be better called qpid.ssl.[Key|Trust]ManagerFactory.algorithm

    Details

      Description

      The Java client supports two system properties, qpid.ssl.trustStoreCertType and qpid.ssl.keyStoreCertType that the Programming-In-Apache-Qpid docbook describe as "the certificate type". These properties are defaulted to SunX509 in ConnectionSettings.java and SSLContextFactory.java.

      Similarly, the Java broker supports a configuration item connector/ssl/certType which is again defaulted to SunX509 in ServerConfiguration.

      On all code paths, these values are passed down to {{javax.net.ssl.KeyManagerFactory
      #getInstance()}} and javax.net.ssl.TrustManagerFactory#getInstance()

      The confusion is that KeyManagerFactory#getInstance()/TrustManagerFactory#getInstance() do not accept a certificate type at all. It accepts a key/trust manager factory algorithm name.

      It would be better if the existing property names were deprecated and a more accurate name used, such as
      qpid.ssl.KeyManagerFactory.algorithm/qpid.ssl.TrustManagerFactory.algorithm. We would continue to support the existing properties, with a warning for a time period.

      I also notice that other projects tend to default the algorithm to Security.getProperty("ssl.KeyManagerFactory.algorithm" and only fallback to SunX509 if that is null. This plays better with non Sun JDKs such as IBMs. See: http://jira.codehaus.org/browse/JETTY-70

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Keith Wall
            Reporter:
            Keith Wall
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development