Blogging Techstacks

GlassFish 3.1 has been released.  Available simultaneously, you can download both the GlassFish Open Source and GlassFish Commercial versions.  

The biggest news with the 3.1 release is that the clustering and high-availablilty support that was missing from version 3.0 exists again.  Other new features include ssh provisioning, centralized management, application versioning, better OSGI support, a retooled embedded API, and more.  The commercial version, Oracle GlassFish Server, also includes the OracleGlassFish Server Control, which provides command-line client monitoring, simplified backup and restore, Oracle Access Manager integration, and a couple other neat items.

Complete sets of documentation for the open-source GlassFish Server and for the commercial Oracle GlassFish server are also highlights of this release.

If you have the time today at 1PM eastern or tomorrow at 9AM eastern, you can also attend a What's New with GlassFish 3.1 webinar.

Every time I think I have a fairly good understanding of how SSL works, something weird comes along to knock that understanding back a few notches.  Case in point:  Certificate Chains.  IBM has a nice, short article called "How Certificate Chains Work" that describes what they are so I'm linking to that in order to save some space for this post.  

With almost any type of certificate one purchases from Verisign today, and I use Verisign as an example because I am a Verisign certificate user, two intermediate certificates sit between the root certificate and the server certificate: a Primary Intermediate and a Secondary Intermediate.  The Primary Intermediate is the same regardless of the type of server certificate that was purchased.  The Secondary Intermediate varies according to the type of server certificate purchased.  If you purchased one of their SecureSite with EV certificates, the secondary intermediate is different from the one that is issued along with their SecureSite certificates but the Primary Intermediate is the same. 

Browsers have a feature in that they, I thought, displayed the full certificate chain, also known as the certification path.  They would display the certificate hierarchy, so you can see the root, the intermediate(s) and the server cert.  Problem is, they seem to have stopped doing this.  Take Safari 5, which is displaying the certification path for the Extended Validation cert securing www.verisign,com:

Safari 5 shows the Primary Intermediate as if it is the root certificate, followed by the secondary intermediate, followed by the server cert.  What's missing is the actual root cert as this is supposed to be a 4 way chain.  

Firefox 3.6.13 exhibits the same behavior.  Before you think, "Oh, this must be a Mac thing...", Firefox 3.6.13 running on Ubuntu 10.10 shows the same thing, too.  So then I thought, well, maybe this is what is supposed to happen but two peculiar additional discoveries are the cause of my confusion.

Safari 3 shows the full certification path:

I found in my System Roots keychain that Apple has imported the Class 3 Public Primary Certification Authority - G5 cert, (the Primary Intermediate).  Perhaps that is why it is displaying a 4 way chain as a 3 way chain?  Well, that's what me and a buddy thought before connecting to one of my sites secured with a non EV cert but still utilizing the same 4-way chain.  In that case, all four certs in the certification path are displayed in Safari 5 (portions of the image redacted to protect the innocent):

So...what's going on browser makers?  I'm assuming that there is a bug somewhere but where??  Is my understanding of how this should be working the bug?  

The first release candidate for Groovy 1.8 was just announced, meaning it should be going gold real soon!  The RC1 release notes will give you all the details you need to see what's new/changed/fixed and the development team would appreciate downloading a copy of 1.8 RC1 and giving it a test.