openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #00328
[Bug 240314] [NEW] openjdk doesn’t trust SSL certificates configured with update-ca-certificates
Public bug reported:
Debian and Ubuntu provide a standard mechanism for adding a trusted SSL
certificate authority to the system, by configuring it in /etc/ca-
certificates.conf and running update-ca-certificates. That command
symlinks trusted CAs into /etc/ssl/certs and adds them to /etc/ssl/certs
/ca-certificates.crt.
I’m pretty sure this used to work with openjdk, but it no longer does.
Even though my local CA is correctly configured and other applications
can use it, Java applets on SSL pages fail to load with exceptions like
this:
I/O exception while reading:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Perhaps this is related to LP #224455 (which looks bogus to me because
/etc/ssl is world-readable by default).
openjdk should either read trusted CAs from the standard location, or it
should hook update-ca-certificates to add trusted CAs to whatever
private keystore it actually uses (by dropping a hook script into /etc
/ca-certificates/update.d). Users of local CAs should not have to
configure them in a dozen different locations.
** Affects: openjdk-6 (Ubuntu)
Importance: Undecided
Status: New
--
openjdk doesn’t trust SSL certificates configured with update-ca-certificates
https://bugs.launchpad.net/bugs/240314
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.
Status in Source Package "openjdk-6" in Ubuntu: New
Bug description:
Debian and Ubuntu provide a standard mechanism for adding a trusted SSL certificate authority to the system, by configuring it in /etc/ca-certificates.conf and running update-ca-certificates. That command symlinks trusted CAs into /etc/ssl/certs and adds them to /etc/ssl/certs/ca-certificates.crt.
I’m pretty sure this used to work with openjdk, but it no longer does. Even though my local CA is correctly configured and other applications can use it, Java applets on SSL pages fail to load with exceptions like this:
I/O exception while reading: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Perhaps this is related to LP #224455 (which looks bogus to me because /etc/ssl is world-readable by default).
openjdk should either read trusted CAs from the standard location, or it should hook update-ca-certificates to add trusted CAs to whatever private keystore it actually uses (by dropping a hook script into /etc/ca-certificates/update.d). Users of local CAs should not have to configure them in a dozen different locations.
Follow ups
References