[RFC] netx/plugin: do not prompt user multiple times for the same Certificate

Omair Majid omajid at redhat.com
Mon Oct 18 11:56:27 PDT 2010 

On 10/18/2010 02:49 PM, Deepak Bhole wrote:
> * Omair Majid<omajid at redhat.com>  [2010-10-18 14:34]:
>> On 10/18/2010 01:49 PM, Deepak Bhole wrote:
>>> * Dr Andrew John Hughes<ahughes at redhat.com>   [2010-10-18 13:35]:
>>>> On 12:53 Mon 18 Oct     , Omair Majid wrote:
>>>>> On 10/14/2010 05:03 PM, Deepak Bhole wrote:
>>>>>> * Omair Majid<omajid at redhat.com>    [2010-10-14 16:37]:
>>>>>>> Hi,
>>>>>>>
>>>>>>> In the current implementation of the plugin, when the user rejects a
>>>>>>> https certificate, the next time the https connection is attempted,
>>>>>>> another certificate warning is shown.
>>>>>>>
>>>>>>> The attached patch makes it so that if the user does not accept a
>>>>>>> certificate, he is not prompted again for accepting it. The patch
>>>>>>> keeps a list of certificates that the user has not accepted and
>>>>>>> skips the user prompt if it is for one of those certificates.
>>>>>>>
>>>>>>> Any comments or suggestions?
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Looks fine to me. Okay for commit to all active branches.
>>>>>>
>>>>>
>>>>> Thanks. Pushed to IcedTea6 HEAD, 1.9, 1.8 and 1.7.
>>>>>
>>>>> Cheers,
>>>>> Omair
>>>>>
>>>>
>>>> Can the user remove the certificate from the list, should they wish to accept it at some point in the future?
>>>> Same vice versa I guess (stop accepting a previously accepted certificate).
>>>
>>>
>>> The untrusted list is temporary and gets destroyed when the vm shuts
>>> down.
>>>
>>
>> I was wondering whether it would make more sense to keep a list of
>> trusted/untrusted certificates per applet/application instead of per
>> VM.
>>
>
> It should be per VM. Otherwise if this were being used within a company
> environment that had their own root cert for example, users would have
> to accept the certs for each applet/http server which would be quite
> tedious.
>
>>> As for removing certs previously trusted -- that list can be manipulated
>>> with keytool. The keystore is .netx/security/trusted.certs
>>>
>>
>> Another way of manipulating the keystore is by using "javaws -viewer"
>>
>
> Nice! I didn't know NetX supported viewer.

Unfortunately, it is not quite the same thing as Java Web Start's javaws 
-viewer. Net'x javaws -viewer is more along the lines of the certificate 
viewer in the Java Control Panel.

>
> Deepak
>
>>> Cheers,
>>> Deepak
>>>
>>>> --
>>>> Andrew :)
>>>>
>>>> Free Java Software Engineer
>>>> Red Hat, Inc. (http://www.redhat.com)
>>>>
>>>> Support Free Java!
>>>> Contribute to GNU Classpath and the OpenJDK
>>>> http://www.gnu.org/software/classpath
>>>> http://openjdk.java.net
>>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
>>>> Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>>

More information about the distro-pkg-dev mailing list