Mercurial > hg > thermostat-ng > agent
changeset 2698:11a6b082cd1e
Remove TLS utilities we no longer use.
Reviewed-by: ebaron
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2017-June/023746.html
line wrap: on
line diff
--- a/common/core/src/main/java/com/redhat/thermostat/common/internal/JSSEKeyManager.java Wed Jun 21 14:02:39 2017 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,109 +0,0 @@ -/* - * Copyright 2012-2017 Red Hat, Inc. - * - * This file is part of Thermostat. - * - * Thermostat is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2, or (at your - * option) any later version. - * - * Thermostat is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with Thermostat; see the file COPYING. If not see - * <http://www.gnu.org/licenses/>. - * - * Linking this code with other modules is making a combined work - * based on this code. Thus, the terms and conditions of the GNU - * General Public License cover the whole combination. - * - * As a special exception, the copyright holders of this code give - * you permission to link this code with independent modules to - * produce an executable, regardless of the license terms of these - * independent modules, and to copy and distribute the resulting - * executable under terms of your choice, provided that you also - * meet, for each linked independent module, the terms and conditions - * of the license of that module. An independent module is a module - * which is not derived from or based on this code. If you modify - * this code, you may extend this exception to your version of the - * library, but you are not obligated to do so. If you do not wish - * to do so, delete this exception statement from your version. - */ - -package com.redhat.thermostat.common.internal; - -import java.net.Socket; -import java.security.Principal; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; -import java.util.logging.Level; -import java.util.logging.Logger; - -import javax.net.ssl.SSLEngine; -import javax.net.ssl.X509ExtendedKeyManager; -import javax.net.ssl.X509KeyManager; - -import com.redhat.thermostat.common.utils.LoggingUtils; - -/** - * KeyManager for selecting the thermostat key-pair and certificate chain. - */ -public class JSSEKeyManager extends X509ExtendedKeyManager { - - private static final Logger logger = LoggingUtils.getLogger(JSSEKeyManager.class); - static final String THERMOSTAT_KEY_ALIAS = "thermostat"; - private X509KeyManager delegate; - - public JSSEKeyManager(X509KeyManager keymanager) { - this.delegate = keymanager; - } - - @Override - public String[] getClientAliases(String keyType, Principal[] issuers) { - return delegate.getClientAliases(keyType, issuers); - } - - @Override - public String chooseClientAlias(String[] keyType, Principal[] issuers, - Socket socket) { - return delegate.chooseClientAlias(keyType, issuers, socket); - } - - @Override - public String[] getServerAliases(String keyType, Principal[] issuers) { - return delegate.getServerAliases(keyType, issuers); - } - - @Override - public String chooseServerAlias(String keyType, Principal[] issuers, - Socket socket) { - logger.log(Level.FINE, "keyType: " + keyType); - return THERMOSTAT_KEY_ALIAS; - } - - @Override - public X509Certificate[] getCertificateChain(String alias) { - logger.log(Level.FINE, "get private key for: " + alias); - return delegate.getCertificateChain(alias); - } - - @Override - public PrivateKey getPrivateKey(String alias) { - logger.log(Level.FINE, "get private key for: " + alias); - return delegate.getPrivateKey(alias); - } - - @Override - public String chooseEngineServerAlias(String keyType, Principal[] issuers, - SSLEngine engine) { - logger.log(Level.FINE, "choosing server engine alias"); - return THERMOSTAT_KEY_ALIAS; - } - - -} -
--- a/common/core/src/main/java/com/redhat/thermostat/common/ssl/SSLContextFactory.java Wed Jun 21 14:02:39 2017 -0400 +++ b/common/core/src/main/java/com/redhat/thermostat/common/ssl/SSLContextFactory.java Mon Jun 19 12:15:22 2017 +0200 @@ -36,61 +36,29 @@ package com.redhat.thermostat.common.ssl; -import java.io.File; -import java.security.GeneralSecurityException; import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.SecureRandom; -import java.security.UnrecoverableKeyException; import java.util.ArrayList; import java.util.Arrays; -import java.util.logging.Level; -import java.util.logging.Logger; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; -import javax.net.ssl.X509KeyManager; -import com.redhat.thermostat.common.internal.JSSEKeyManager; -import com.redhat.thermostat.common.internal.KeyStoreProvider; +import com.redhat.thermostat.common.internal.DelegateSSLSocketFactory; import com.redhat.thermostat.common.internal.TrustManagerFactory; -import com.redhat.thermostat.common.internal.DelegateSSLSocketFactory; -import com.redhat.thermostat.common.utils.LoggingUtils; -import com.redhat.thermostat.shared.config.InvalidConfigurationException; import com.redhat.thermostat.shared.config.SSLConfiguration; public class SSLContextFactory { - private static final Logger logger = LoggingUtils.getLogger(SSLContextFactory.class); private static final String PROTOCOL_TLSv12 = "TLSv1.2"; private static final String PROTOCOL_TLSv11 = "TLSv1.1"; private static final String PROTOCOL_TLSv10 = "TLSv1"; private static final String TLS_PROVIDER = "SunJSSE"; - private static final String ALGORITHM = "SunX509"; - private static SSLContext serverContext; private static SSLContext clientContext; - - /** - * - * @return An initialized SSLContext - * @throws SslInitException - * @throws InvalidConfigurationException - */ - public static SSLContext getServerContext(SSLConfiguration sslConf) throws SslInitException, - InvalidConfigurationException { - if (serverContext != null) { - return serverContext; - } - initServerContext(sslConf); - return serverContext; - } /** * @@ -141,65 +109,12 @@ } clientContext = clientCtxt; } - - private static void initServerContext(SSLConfiguration sslConf) throws SslInitException, - InvalidConfigurationException { - SSLContext serverCtxt = null; - File trustStoreFile = sslConf.getKeystoreFile(); - String keyStorePassword = sslConf.getKeyStorePassword(); - KeyStore ks = KeyStoreProvider.getKeyStore(trustStoreFile, - keyStorePassword); - if (ks == null) { - // This is bad news. We need a proper key store for retrieving the - // server certificate. - logReason(trustStoreFile); - throw new SslInitException( - "Failed to initialize server side SSL context"); - } - try { - serverCtxt = getContextInstance(); - // Initialize the SSLContext to work with our key and trust managers. - serverCtxt.init(getKeyManagers(ks, keyStorePassword), - getTrustManagers(sslConf), new SecureRandom()); - } catch (GeneralSecurityException e) { - throw new SslInitException(e); - } - serverContext = serverCtxt; - } private static TrustManager[] getTrustManagers(SSLConfiguration sslConf) throws SslInitException { TrustManager tm = TrustManagerFactory.getTrustManager(sslConf); return new TrustManager[] { tm }; } - private static KeyManager[] getKeyManagers(KeyStore ks, String keystorePassword) - throws NoSuchAlgorithmException, UnrecoverableKeyException, - KeyStoreException, NoSuchProviderException { - // Set up key manager factory to use our key store - KeyManagerFactory kmf = KeyManagerFactory.getInstance(ALGORITHM, TLS_PROVIDER); - kmf.init(ks, keystorePassword.toCharArray()); - KeyManager[] rawKeyManagers = kmf.getKeyManagers(); - KeyManager kms[] = new KeyManager[rawKeyManagers.length]; - for (int i = 0; i < rawKeyManagers.length; i++) { - // Wrap with our keymanager, so that propperly aliased key is - // used in keystore. - kms[i] = new JSSEKeyManager((X509KeyManager)rawKeyManagers[i]); - } - return kms; - } - - private static void logReason(File trustStoreFile) { - String detail = "Reason: no keystore file specified!"; - if (trustStoreFile != null) { - if (!trustStoreFile.exists()) { - detail = "Reason: keystore file '" + trustStoreFile.toString() + "' does not exist!"; - } else { - detail = "Reason: illegal keystore password!"; - } - } - logger.log(Level.SEVERE, "Failed to load keystore. " + detail); - } - private static SSLContext getContextInstance() { // Create the context. Specify the SunJSSE provider to avoid // picking up third-party providers. Try the TLS 1.2 provider
--- a/common/core/src/test/java/com/redhat/thermostat/common/internal/JSSEKeyManagerTest.java Wed Jun 21 14:02:39 2017 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,100 +0,0 @@ -/* - * Copyright 2012-2017 Red Hat, Inc. - * - * This file is part of Thermostat. - * - * Thermostat is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2, or (at your - * option) any later version. - * - * Thermostat is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with Thermostat; see the file COPYING. If not see - * <http://www.gnu.org/licenses/>. - * - * Linking this code with other modules is making a combined work - * based on this code. Thus, the terms and conditions of the GNU - * General Public License cover the whole combination. - * - * As a special exception, the copyright holders of this code give - * you permission to link this code with independent modules to - * produce an executable, regardless of the license terms of these - * independent modules, and to copy and distribute the resulting - * executable under terms of your choice, provided that you also - * meet, for each linked independent module, the terms and conditions - * of the license of that module. An independent module is a module - * which is not derived from or based on this code. If you modify - * this code, you may extend this exception to your version of the - * library, but you are not obligated to do so. If you do not wish - * to do so, delete this exception statement from your version. - */ - -package com.redhat.thermostat.common.internal; - -import static org.junit.Assert.assertEquals; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verify; - -import javax.net.ssl.X509KeyManager; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -public class JSSEKeyManagerTest { - - private X509KeyManager tm; - - @Before - public void setup() { - this.tm = mock(X509KeyManager.class); - } - - @After - public void teardown() { - this.tm = null; - } - - @Test - public void chooseServerAliasReturnsThermostat() { - JSSEKeyManager keyManager = new JSSEKeyManager(tm); - assertEquals(JSSEKeyManager.THERMOSTAT_KEY_ALIAS, - keyManager.chooseServerAlias(null, null, null)); - } - - @Test - public void testKeyAliasIsThermostat() { - // In documentation we tell our users that the keyalias for the - // agent server key has to be thermostat. - // See: http://icedtea.classpath.org/wiki/Thermostat/SecurityConsiderations - assertEquals(JSSEKeyManager.THERMOSTAT_KEY_ALIAS, "thermostat"); - } - - @Test - public void chooseEngineServerAliasReturnsThermostatAlias() { - JSSEKeyManager keyManager = new JSSEKeyManager(tm); - assertEquals(JSSEKeyManager.THERMOSTAT_KEY_ALIAS, - keyManager.chooseEngineServerAlias(null, null, null)); - } - - @Test - public void otherMethodsDelegate() { - JSSEKeyManager keyManager = new JSSEKeyManager(tm); - keyManager.chooseClientAlias(null, null, null); - verify(tm).chooseClientAlias(null, null, null); - keyManager.getCertificateChain("blah"); - verify(tm).getCertificateChain("blah"); - keyManager.getClientAliases(null, null); - verify(tm).getClientAliases(null, null); - keyManager.getPrivateKey("test"); - verify(tm).getPrivateKey("test"); - keyManager.getServerAliases("something", null); - verify(tm).getServerAliases("something", null); - } -} -
--- a/common/core/src/test/java/com/redhat/thermostat/common/ssl/SSLContextFactoryTest.java Wed Jun 21 14:02:39 2017 -0400 +++ b/common/core/src/test/java/com/redhat/thermostat/common/ssl/SSLContextFactoryTest.java Mon Jun 19 12:15:22 2017 +0200 @@ -55,7 +55,6 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; -import javax.net.ssl.X509KeyManager; import javax.net.ssl.X509TrustManager; import org.junit.Test; @@ -72,61 +71,6 @@ @PrepareForTest({ SSLContext.class, KeyManagerFactory.class, javax.net.ssl.TrustManagerFactory.class }) public class SSLContextFactoryTest { - /* - * cmdChanServer.keystore is a keystore converted from openssl. It contains - * key material which was signed by ca.crt. More information as to how to - * create such a file here (first create server.crt => convert it to java - * keystore format): - * http://icedtea.classpath.org/wiki/Thermostat/DevDeployWarInTomcatNotes - * - * Unfortunately, powermock messes up the KeyManagerFactory. We can only - * verify that proper methods are called. - */ - @Test - public void verifySetsUpServerContextWithProperKeyMaterial() - throws Exception { - File keystoreFile = new File(decodeFilePath(this.getClass() - .getResource("/cmdChanServer.keystore"))); - - SSLConfiguration sslConf = mock(SSLConfiguration.class); - when(sslConf.getKeystoreFile()).thenReturn( - keystoreFile); - when(sslConf.getKeyStorePassword()).thenReturn( - "testpassword"); - - PowerMockito.mockStatic(SSLContext.class); - SSLContext context = PowerMockito.mock(SSLContext.class); - when(SSLContext.getInstance("TLSv1.2", "SunJSSE")).thenReturn(context); - ArgumentCaptor<KeyManager[]> keymanagersCaptor = ArgumentCaptor - .forClass(KeyManager[].class); - ArgumentCaptor<TrustManager[]> tmsCaptor = ArgumentCaptor - .forClass(TrustManager[].class); - PowerMockito.mockStatic(KeyManagerFactory.class); - KeyManagerFactory mockFactory = PowerMockito.mock(KeyManagerFactory.class); - when(KeyManagerFactory.getInstance("SunX509", "SunJSSE")).thenReturn(mockFactory); - KeyManager[] mockKms = new KeyManager[] { mock(X509KeyManager.class) }; - when(mockFactory.getKeyManagers()).thenReturn(mockKms); - PowerMockito.mockStatic(javax.net.ssl.TrustManagerFactory.class); - javax.net.ssl.TrustManagerFactory mockTrustFactory = PowerMockito.mock(javax.net.ssl.TrustManagerFactory.class); - when(mockTrustFactory.getTrustManagers()).thenReturn(new TrustManager[0]); - when(javax.net.ssl.TrustManagerFactory.getInstance("SunX509", "SunJSSE")).thenReturn(mockTrustFactory); - - SSLContextFactory.getServerContext(sslConf); - verify(context).init(keymanagersCaptor.capture(), - tmsCaptor.capture(), any(SecureRandom.class)); - KeyManager[] kms = keymanagersCaptor.getValue(); - assertEquals(1, kms.length); - // Keymanagers should be wrapped by JSSEKeyManager - assertEquals( - "com.redhat.thermostat.common.internal.JSSEKeyManager", - kms[0].getClass().getName()); - TrustManager[] tms = tmsCaptor.getValue(); - assertEquals(1, tms.length); - assertEquals( - "com.redhat.thermostat.common.internal.CustomX509TrustManager", - tms[0].getClass().getName()); - } - @Test public void verifySetsUpClientContextWithProperTrustManager() throws Exception {
--- a/config/src/main/java/com/redhat/thermostat/shared/config/SSLConfiguration.java Wed Jun 21 14:02:39 2017 -0400 +++ b/config/src/main/java/com/redhat/thermostat/shared/config/SSLConfiguration.java Mon Jun 19 12:15:22 2017 +0200 @@ -54,31 +54,5 @@ */ public String getKeyStorePassword(); - /** - * - * @return true if and only if SSL should be enabled for command channel - * communication between agent and client. I.e. if - * $THERMOSTAT_HOME/etc/ssl.properties exists and proper config has - * been added. false otherwise. - */ - public boolean enableForCmdChannel(); - - /** - * - * @return true if and only if SSL should be used for backing storage - * connections. I.e. if $THERMOSTAT_HOME/etc/ssl.properties exists - * and proper config has been added. false otherwise. - */ - public boolean enableForBackingStorage(); - - /** - * - * @return true if and only if host name verification should not be - * performed during SSL handshake. In other words if - * $THERMOSTAT_HOME/etc/ssl.properties exists and proper config has - * been added. false otherwise. - */ - public boolean disableHostnameVerification(); - }
--- a/config/src/main/java/com/redhat/thermostat/shared/config/internal/SSLConfigurationImpl.java Wed Jun 21 14:02:39 2017 -0400 +++ b/config/src/main/java/com/redhat/thermostat/shared/config/internal/SSLConfigurationImpl.java Mon Jun 19 12:15:22 2017 +0200 @@ -54,9 +54,6 @@ private static final String SSL_PROPS_FILENAME = "ssl.properties"; private static final String KEYSTORE_FILE_KEY = "KEYSTORE_FILE"; private static final String KEYSTORE_FILE_PWD_KEY = "KEYSTORE_PASSWORD"; - private static final String CMD_CHANNEL_SSL_KEY = "COMMAND_CHANNEL_USE_SSL"; - private static final String BACKING_STORAGE_USE_SSL_KEY = "BACKING_STORAGE_CONNECTION_USE_SSL"; - private static final String DISABLE_HOSTNAME_VERIFICATION = "DISABLE_HOSTNAME_VERIFICATION"; private static final Logger logger = Logger.getLogger(SSLConfigurationImpl.class.getName()); public SSLConfigurationImpl(CommonPaths paths) { @@ -91,21 +88,6 @@ String pwd = configProps.getProperty(KEYSTORE_FILE_PWD_KEY); return pwd; } - - @Override - public boolean enableForCmdChannel() { - return readBooleanProperty(CMD_CHANNEL_SSL_KEY); - } - - @Override - public boolean enableForBackingStorage() { - return readBooleanProperty(BACKING_STORAGE_USE_SSL_KEY); - } - - @Override - public boolean disableHostnameVerification() { - return readBooleanProperty(DISABLE_HOSTNAME_VERIFICATION); - } // testing hook void initProperties(File clientPropertiesFile) { @@ -119,23 +101,6 @@ } } - private boolean readBooleanProperty(final String property) { - boolean result = false; - try { - loadProperties(); - } catch (InvalidConfigurationException e) { - logger.log(Level.WARNING, - "THERMOSTAT_HOME not set and config file attempted to be " + - "read from there! Returning false."); - return result; - } - String token = configProps.getProperty(property); - if (token != null) { - result = Boolean.parseBoolean(token); - } - return result; - } - // package-private for testing. void loadProperties() throws InvalidConfigurationException {
--- a/config/src/test/java/com/redhat/thermostat/shared/config/internal/SSLConfigurationImplTest.java Wed Jun 21 14:02:39 2017 -0400 +++ b/config/src/test/java/com/redhat/thermostat/shared/config/internal/SSLConfigurationImplTest.java Mon Jun 19 12:15:22 2017 +0200 @@ -90,19 +90,6 @@ assertEquals(null, badSSLConf.getKeyStorePassword()); } - @Test - public void canGetSSLEnabledConfigs() { - assertTrue(sslConf.enableForCmdChannel()); - assertTrue(sslConf.enableForBackingStorage()); - assertTrue(sslConf.disableHostnameVerification()); - File disabledSSLProps = new File(this.getClass().getResource("/ssl.properties").getFile()); - SSLConfigurationImpl disabledSSLConf = new SSLConfigurationImpl(null); - disabledSSLConf.initProperties(disabledSSLProps); - assertFalse(disabledSSLConf.enableForCmdChannel()); - assertFalse(disabledSSLConf.enableForBackingStorage()); - assertFalse(disabledSSLConf.disableHostnameVerification()); - } - /* * $THERMOSTAT_HOME/etc/ssl.properties is specified, * $USER_THERMOSTAT_HOME/etc/ssl.properties not specified. @@ -133,8 +120,6 @@ // use this assertion in order to avoid false positives if loading of // ssl.properties did not work, but boolean matches default values. assertEquals("system thermostat home", config.getKeyStorePassword()); - assertTrue(config.enableForBackingStorage()); - assertTrue(config.disableHostnameVerification()); } /* @@ -168,8 +153,6 @@ // use this assertion in order to avoid false positives if loading of // ssl.properties did not work, but boolean matches default values. assertEquals("user thermostat home", config.getKeyStorePassword()); - assertFalse(config.enableForBackingStorage()); - assertFalse(config.disableHostnameVerification()); } /* @@ -204,8 +187,6 @@ // use this assertion in order to avoid false positives if loading of // ssl.properties did not work, but boolean matches default values. assertEquals("user thermostat home", config.getKeyStorePassword()); - assertFalse(config.enableForBackingStorage()); - assertFalse(config.disableHostnameVerification()); } /* @@ -237,9 +218,6 @@ // assert default values assertNull(config.getKeyStorePassword()); assertNull(config.getKeystoreFile()); - assertFalse(config.enableForBackingStorage()); - assertFalse(config.enableForCmdChannel()); - assertFalse(config.disableHostnameVerification()); } private static String decodeFilePath(URL url) {
--- a/config/src/test/resources/client.properties Wed Jun 21 14:02:39 2017 -0400 +++ b/config/src/test/resources/client.properties Mon Jun 19 12:15:22 2017 +0200 @@ -1,6 +1,3 @@ # Random comment KEYSTORE_FILE=/path/to/thermostat.keystore KEYSTORE_PASSWORD=some password -COMMAND_CHANNEL_USE_SSL=true -BACKING_STORAGE_CONNECTION_USE_SSL=true -DISABLE_HOSTNAME_VERIFICATION=true \ No newline at end of file
--- a/config/src/test/resources/ssl.properties Wed Jun 21 14:02:39 2017 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,3 +0,0 @@ -COMMAND_CHANNEL_USE_SSL=somethingNotABoolean -# this does not parse as a boolean -DISABLE_HOSTNAME_VERIFICATION=yes \ No newline at end of file
--- a/config/src/test/resources/system_th_home/ssl.properties Wed Jun 21 14:02:39 2017 -0400 +++ b/config/src/test/resources/system_th_home/ssl.properties Mon Jun 19 12:15:22 2017 +0200 @@ -1,6 +1,3 @@ # used for system vs. user thermostat home config of ssl.properties testing KEYSTORE_FILE=/path/to/system_thermostat.keystore -KEYSTORE_PASSWORD=system thermostat home -COMMAND_CHANNEL_USE_SSL=true -BACKING_STORAGE_CONNECTION_USE_SSL=true -DISABLE_HOSTNAME_VERIFICATION=true \ No newline at end of file +KEYSTORE_PASSWORD=system thermostat home \ No newline at end of file
--- a/config/src/test/resources/user_th_home/ssl.properties Wed Jun 21 14:02:39 2017 -0400 +++ b/config/src/test/resources/user_th_home/ssl.properties Mon Jun 19 12:15:22 2017 +0200 @@ -1,6 +1,3 @@ # used for system vs. user thermostat home config of ssl.properties testing KEYSTORE_FILE=/path/to/user_thermostat.keystore -KEYSTORE_PASSWORD=user thermostat home -COMMAND_CHANNEL_USE_SSL=false -BACKING_STORAGE_CONNECTION_USE_SSL=false -DISABLE_HOSTNAME_VERIFICATION=false \ No newline at end of file +KEYSTORE_PASSWORD=user thermostat home \ No newline at end of file
--- a/distribution/config/ssl.properties Wed Jun 21 14:02:39 2017 -0400 +++ b/distribution/config/ssl.properties Mon Jun 19 12:15:22 2017 +0200 @@ -1,6 +1,6 @@ -# This file is used as source for key material if SSL should be enabled -# for the command channel. It may also be used in order to configure thermostat -# so as to trust some self-signed certificate. +# This file is used as an additional source for establishing trust in +# TLS connections. I.e. it may be used in order to configure thermostat +# so as to trust some self-signed certificate(s). # More information available at: # http://icedtea.classpath.org/wiki/Thermostat/SecurityConsiderations #KEYSTORE_FILE=/path/to/thermostat.keystore @@ -8,20 +8,3 @@ # The password for the keystore file. If none is provided the empty password # is assumed. Only used if KEYSTORE_FILE was specified. #KEYSTORE_PASSWORD=nopassword - -# Uncomment the following line if you would like to enable SSL for command -# channel communication. Note that if this is set to true, both of the above -# configs are required on the agent host, since it will use the key material -# in the keystore file for SSL handshakes. -#COMMAND_CHANNEL_USE_SSL=true - -# Uncomment the following line if mongodb connections need to use SSL. I.e. -# enable this if you are configuring a thermostat client component which -# needs to do a SSL handshake with mongodb storage. See SSL_ENABLE in -# $THERMOSTAT_HOME/storage/db.properties). -#BACKING_STORAGE_CONNECTION_USE_SSL=true - -# Uncomment the following line if host name checking should be disabled during -# SSL handshakes. It is not recommended to turn this off. NOTE: Host names will -# always be verified for https:// connection URLs regardless of this config. -#DISABLE_HOSTNAME_VERIFICATION=true