openjdk team mailing list archive

[Matthias Klose <doko@xxxxxxxxxx>]

please have a look at the ca-certificates-java package as found in
intrepid.


** Changed in: openjdk-6 (Ubuntu)
       Status: New => Incomplete

-- 
openjdk doesn’t trust SSL certificates configured with update-ca-certificates
https://bugs.launchpad.net/bugs/240314
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in Source Package "openjdk-6" in Ubuntu: Incomplete

Bug description:
Debian and Ubuntu provide a standard mechanism for adding a trusted SSL certificate authority to the system, by configuring it in /etc/ca-certificates.conf and running update-ca-certificates.  That command symlinks trusted CAs into /etc/ssl/certs and adds them to /etc/ssl/certs/ca-certificates.crt.

I’m pretty sure this used to work with openjdk, but it no longer does.  Even though my local CA is correctly configured and other applications can use it, Java applets on SSL pages fail to load with exceptions like this:

  I/O exception while reading: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Perhaps this is related to LP #224455 (which looks bogus to me because /etc/ssl is world-readable by default).

openjdk should either read trusted CAs from the standard location, or it should hook update-ca-certificates to add trusted CAs to whatever private keystore it actually uses (by dropping a hook script into /etc/ca-certificates/update.d).  Users of local CAs should not have to configure them in a dozen different locations.