[josm-dev] HTTPS changes on osm.org

Paul Hartmann phaaurlt at gmail.com
Mon Feb 23 01:43:26 UTC 2015


On 23.02.2015 01:51, Vincent Privat wrote:
> I'd prefer not, regarding what happened the last time I played with this
> feature:
> http://josm.openstreetmap.de/ticket/10033
> http://josm.openstreetmap.de/ticket/10230
>
> Besides, it only works for Windows.

It's different in this case, as we don't need to make a web browser like 
Firefox accept a certain certificate. The problem is Java-only, so it 
should be more or less platform independent.

To add a certificate to Java you would normally use the keytool program 
to modify the file $JAVA_HOME/lib/security/cacerts.
This requires root privileges, so it is out of question for JOSM.

Alternatively one could hook into the SSL verification process by 
setting a custom implementation of the TrustManager class [1]. This 
class would have special handling code for a certain certificate and 
otherwise pass the verification to the standard handler.

This is a hack and circumvents the normal Java mechanisms. You have to 
be very careful not to introduce bugs and security problems.

I think it is not really worth it and we should switch to plain http for 
openstreetmap.org domains, if the StartSSL certificate isn't replaced.

[1] 
<http://stackoverflow.com/questions/1650596/how-do-i-import-a-new-java-ca-cert-without-using-the-keytool-command-line-utilit>

Paul



More information about the josm-dev mailing list