Backport fix for PR1161 to icedtea-web 1.3
adomurad at redhat.com
Thu Oct 11 06:39:44 PDT 2012
On 10/10/2012 05:18 PM, Deepak Bhole wrote:
> I would like to backport the fix for PR1161 to icedtea-web 1.3 in order
> to do a new release. The issue affects icedtea-web running on Java 7:
> I am attaching the final approved version that went into head. It
> applies to 1.3 with some fuzz. OK for 1.3?
> PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
> * Makefile.am: If building with JDK 6, don't build
> * NEWS: Updated.
> * acinclude.m4: In addition to setting VERSION_DEFS, also set HAVE_JAVA7
> if building with JDK7.
> * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java (initialize): Use new
> getSSLSocketTrustManager() method to get the trust manager.
> (getSSLSocketTrustManager): New method. Depending on runtime JRE version,
> returns the appropriate trust manager.
> * netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java: Removed
> unused tm variable.
> * netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java: No
> longer extends com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager.
> (checkClientTrusted): Renamed to checkTrustClient and removed overloaded
> (checkServerTrusted): Renamed to checkTrustServer. Also, modified to
> accept socket and engine (may be null). Assume that CN is mismatched by
> default, rather than matched. If explicitly trusted, bypass other checks,
> including CN mismatch.
> (checkAllManagers): Modified to accept socket and engine. Modified to work
> for both JDK6 and JDK7.
> (getAcceptedIssuers): Make protected (called by others in package).
> * netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java:
> New class -- X509TrustManager for JDK6.
> * netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java:
> New class -- X509TrustManager for JDK7.
Haven't looked into it in detail but I don't see any reason it shouldn't
go in. We'll catch anything in testing regardless.
OK for 1.3 from me.
More information about the distro-pkg-dev