openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #08829
[Bug 224455] Re: open jdk 6 truststore points to privileged access area
Launchpad has imported 3 comments from the remote bug at
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=133.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2008-04-02T15:42:08+00:00 Sylvain Beucler wrote:
Under Debian Etch, I compiled IcedTea6 (17 march), and installed
tomcat5.5.
I configured it to run with SSL:
/usr/lib/jvm/java-6-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/tomcat5.5/.keystore
# passwd: changeit
sudo chown tomcat55: /usr/share/tomcat5.5/.keystore
sudo chmod 600 /usr/share/tomcat5.5/.keystore
# Simulate Fedora path for now:
sudo mkdir -p /etc/pki/tls/certs/
sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
# Modify /etc/tomcat5.5/server.xml and uncomment "Define a SSL HTTP/1.1 Connector on port 8443"
Relevant config:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
On startup I get:
...
INFO: Initialisation de Coyote HTTP/1.1 sur http-8180
2 avr. 2008 16:55:26 org.apache.coyote.http11.Http11BaseProtocol init
GRAVE: Erreur à l'initialisation du point de contact
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1201)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:174)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:111)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:138)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:791)
at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:266)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
2 avr. 2008 16:55:26 org.apache.catalina.startup.Catalina load
GRAVE: Catalina.start
LifecycleException: L'initialisation du gestionnaire de protocole a échoué: java.io.IOException: Invalid keystore format
at org.apache.catalina.connector.Connector.initialize(Connector.java:1018)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:791)
at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:266)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
2 avr. 2008 16:55:26 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1987 ms
2 avr. 2008 16:55:27 org.apache.catalina.core.StandardService start
INFO: Démarrage du service Catalina
...
When using Sun's JRE 1.5 instead, it works fine (without modifying the keystore).
I see this also reported at:
http://www.mail-archive.com/users@xxxxxxxxxxxxxxxxx/msg40851.html
where the user installed JRE 1.6 instead of IcedTea to make things work.
I don't see this bug reported in bugzilla (search "keystore" returned
zarro bugs), so I'm reporting it.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/224455/comments/0
------------------------------------------------------------------------
On 2008-07-20T23:20:29+00:00 Gnu-andrew-n wrote:
There were some certificate-related patches being applied back then that
have now changed. May be worth retrying with current IcedTea.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/224455/comments/8
------------------------------------------------------------------------
On 2008-11-05T20:57:33+00:00 Sylvain Beucler wrote:
I confirm that it works now.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/224455/comments/9
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/224455
Title:
open jdk 6 truststore points to privileged access area
Status in GlassFish:
Unknown
Status in Iced Tea:
Invalid
Status in “openjdk-6” package in Ubuntu:
Fix Released
Bug description:
open jdk 6 truststore setting "javax.net.ssl.trustStore" i.e
"/etc/ssl/certs/ca-certificates.crt " points to an area in the
filesystem (/etc/ssl) that usually requires privileged access for
read, write and execute.
So any app run as a regular user that were to implicitly depend on the
default truststore could end up not working in Ubuntu unless they
overrode with a custom system prop which they were not earlier doing.
This may be a problem for Java apps that did not have such an setting
made earlier.
Seems to be by the following icedtea patch,
http://icedtea.classpath.org/hg/icedtea6/file/d0081b7856c8/patches/icedtea-certbundle.patch
The "javax.net.ssl.trustStorePassword" has been set to an empty string
too. Why?
To manage notifications about this bug go to:
https://bugs.launchpad.net/glassfish/+bug/224455/+subscriptions
References