Trustmanager Changelog

Trustmanager 3.0.5 vs 3.0.3

Patch:

https://savannah.cern.ch/task/?21011

Changes

• Bugs found by findbugs, one infinite loop, other very minor cosmetic changes.

Bugs fixed:

• Bug fix to handle properly the DESY DNs, to allow delegation to CREAM. https://savannah.cern.ch/bugs/?83426
• Cosmetic bug fix to put properly unlimited proxy path limit when delegating RFC3820 proxies. Previously INT_MAX was put. https://savannah.cern.ch/bugs/?81750

Configuration changes

None

Trustmanager 3.0.3 vs trustmanager/util-java 2.x

Patch:

https://savannah.cern.ch/task/?18704

Changes

• Move to emi structure (install into /usr/share/java, not into /opt/glite)
• restructuring into three jars: trustmanager.jar the main code, trustmanager-tomcat.jar and trustmanager-axis.jar for the tomcat and axis integration classes.

Bugs fixed:

• [Trustmanager] Trustmanager should not bind its clients to use the log4j logging library. https://savannah.cern.ch/bugs/?46473
• Util-java CRL checker failure messages lost. https://savannah.cern.ch/bugs/?74278
• Util-java is too strict by requiring hostname in subjectAltName if the extension is present. https://savannah.cern.ch/bugs/?76249

Configuration changes

None

trustmanager 2.0.6, util-java 2.0.3

(current for glite 3.1 (rebuilt to add jdk build time dep) - no plans to update, old for glite 3.2)

Patch:

http://savannah.cern.ch/patch/?2950

Changes

Internal trustanchor handling rewritten, added support for namespaces, CAs with file ending other number than 0 and same for crls.

Bugs fixed:

• https://savannah.cern.ch/bugs/?10925 Misleading log message with clock skew
• https://savannah.cern.ch/bugs/?17046 Trustmanager does not notice CA changes
• https://savannah.cern.ch/bugs/?18372 trustmanager only checks *.0 and *.r0 CAs and CRLs
• https://savannah.cern.ch/bugs/?20602 There is a possible vulnerability issue with the Java Trustmanager (signing policy files)
• https://savannah.cern.ch/bugs/?15363 VOMS Admin: the system might not consider the CA Signing policy files
• https://savannah.cern.ch/bugs/?35139 Trustmanager default for crl updater should be disabled
• https://savannah.cern.ch/bugs/?43663 Trustmanager connection fails against globus socket sometimes
• https://savannah.cern.ch/bugs/?46473 [Trustmanager] Trustmanager should not bind its clients to use the log4j logging library
• https://savannah.cern.ch/bugs/?52292 Namespace restrictions not working

Configuration changes

In tomcat server.xml:

add lines:

• trustStoreDir="@TRUSTDIR@"
• crlUpdateInterval="2h"

trustStoreDir should point to the /etc/grid-security/certificates or to the location that contains the CA certs, namespaces and CRLs. crlUpdateInterval defines how often the trustStoreDir is polled for changes in the files. Before default was 2h, now it is by default disabled, so it has to be explicitly enabled by defining it.

lines to remove:

• sslCAFiles="@CAFILES@"
• crlFiles="@CRLFILES@"

As configuration of these is handled by trustStoreDir now.

Without these changes the system works, but just like before, so without CA changes being noticed and with the vulnerability as in bug #20602.

Also on the clients the configuration should change to get the namespace checking to be enabled. Without removing the sslCAFiles and crlFiles and instead using trustStoreDir the namespaces are not checked and the old code is used. Release notes: This is a bug fixing and required code fix. The bugs fixed are listed below and there is additional code added that is needed to use the trustmanager in jetty WS container and when using slf4j.