[jitsi-dev] TLS config: Root CA source on Windows


#1

Hey

It's a long time now since we have the option to use Windows' CA store as
the trust anchor for our TLS validation (instead of Java's truststore-file).
I'd propose to promote this option as default, because:
- The Windows store is regularly updated
- It works reliable ever since it's there (at least from my experience)
- Since we deploy Jitsi now with Java 7, the option is also available in the
x64 build

Any objections to that?

Regards,
Ingo


#2

Hi,

what about portability?
Ok, it's very comfortable in Windows. But what is with Linux, MAC?
I am using Ubuntu 12.04, for example. I would rather stick to
the Java store for portability reasons.

Best regards,
Matt

···

Am 05.12.2012 15:51, schrieb Ingo Bauersachs:

Hey

It's a long time now since we have the option to use Windows' CA store as
the trust anchor for our TLS validation (instead of Java's truststore-file).
I'd propose to promote this option as default, because:
- The Windows store is regularly updated
- It works reliable ever since it's there (at least from my experience)
- Since we deploy Jitsi now with Java 7, the option is also available in the
x64 build

Any objections to that?

Regards,
Ingo


#3

what about portability?
Ok, it's very comfortable in Windows. But what is with Linux, MAC?
I am using Ubuntu 12.04, for example. I would rather stick to
the Java store for portability reasons.

That applies obviously only to the Windows builds. The other systems stay as
they are (and don't suffer from the same problem as the Java truststore is
at least on Ubuntu a system package that is regularly updated).

Best regards,
Matt

Ingo


#4

Hi Ingo,

for Windows Builds it definitely makes sense to have it as default!
I vote for it.

Security guys only argue about the mass of certificates pre-installed
with not know security state. But this can be circumvented by
choosing the Java store and reduce the certs only to the ones needed.

Best regards,
Matt

···

Am 05.12.2012 16:04, schrieb Ingo Bauersachs:

what about portability?
Ok, it's very comfortable in Windows. But what is with Linux, MAC?
I am using Ubuntu 12.04, for example. I would rather stick to
the Java store for portability reasons.

That applies obviously only to the Windows builds. The other systems stay as
they are (and don't suffer from the same problem as the Java truststore is
at least on Ubuntu a system package that is regularly updated).

Best regards,
Matt

Ingo


#5

I am fine with changing this on the win builds.

Cheers,
Emil

···

On 05.12.12, 16:12, Buddy Butterfly wrote:

Hi Ingo,

for Windows Builds it definitely makes sense to have it as default!
I vote for it.

Security guys only argue about the mass of certificates pre-installed
with not know security state. But this can be circumvented by
choosing the Java store and reduce the certs only to the ones needed.

Best regards,
Matt

Am 05.12.2012 16:04, schrieb Ingo Bauersachs:

what about portability?
Ok, it's very comfortable in Windows. But what is with Linux, MAC?
I am using Ubuntu 12.04, for example. I would rather stick to
the Java store for portability reasons.

That applies obviously only to the Windows builds. The other systems stay as
they are (and don't suffer from the same problem as the Java truststore is
at least on Ubuntu a system package that is regularly updated).

Best regards,
Matt

Ingo

--
https://jitsi.org