openjdk team mailing list archive

[Anders Kaseorg <anders@xxxxxxxxxxx>]

Thanks, that looks like a step in the right direction.  It has several
issues which I’ll file as separate bugs.  I would consider this bug
resolved when ca-certificates-java is working, and becomes part of (or a
dependency of) the ca-certificates or openjdk packages.

** Changed in: openjdk-6 (Ubuntu)
       Status: Incomplete => In Progress

-- 
openjdk doesn’t trust SSL certificates configured with update-ca-certificates
https://bugs.launchpad.net/bugs/240314
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in “openjdk-6” source package in Ubuntu: In Progress

Bug description:
Debian and Ubuntu provide a standard mechanism for adding a trusted SSL certificate authority to the system, by configuring it in /etc/ca-certificates.conf and running update-ca-certificates.  That command symlinks trusted CAs into /etc/ssl/certs and adds them to /etc/ssl/certs/ca-certificates.crt.

I’m pretty sure this used to work with openjdk, but it no longer does.  Even though my local CA is correctly configured and other applications can use it, Java applets on SSL pages fail to load with exceptions like this:

  I/O exception while reading: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Perhaps this is related to LP #224455 (which looks bogus to me because /etc/ssl is world-readable by default).

openjdk should either read trusted CAs from the standard location, or it should hook update-ca-certificates to add trusted CAs to whatever private keystore it actually uses (by dropping a hook script into /etc/ca-certificates/update.d).  Users of local CAs should not have to configure them in a dozen different locations.