openjdk team mailing list archive

Thread
Date
[Bug 224455] Re: open jdk 6 truststore points to privileged access area

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Bug Watch Updater <224455@xxxxxxxxxxxxxxxxxx>
Date: Sat, 01 Dec 2012 10:41:52 -0000
Reply-to: Bug 224455 <224455@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Launchpad has imported 3 comments from the remote bug at
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=133.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2008-04-02T15:42:08+00:00 Sylvain Beucler wrote:

Under Debian Etch, I compiled IcedTea6 (17 march), and installed
tomcat5.5.

I configured it to run with SSL:
/usr/lib/jvm/java-6-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/tomcat5.5/.keystore
# passwd: changeit
sudo chown tomcat55: /usr/share/tomcat5.5/.keystore
sudo chmod 600 /usr/share/tomcat5.5/.keystore
# Simulate Fedora path for now:
sudo mkdir -p /etc/pki/tls/certs/
sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
# Modify /etc/tomcat5.5/server.xml and uncomment "Define a SSL HTTP/1.1 Connector on port 8443"

Relevant config:
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

On startup I get:

...
INFO: Initialisation de Coyote HTTP/1.1 sur http-8180
2 avr. 2008 16:55:26 org.apache.coyote.http11.Http11BaseProtocol init
GRAVE: Erreur à l'initialisation du point de contact
java.io.IOException: Invalid keystore format
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1201)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256)
        at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:174)
        at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:111)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
        at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:138)
        at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
        at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
        at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:791)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:266)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
2 avr. 2008 16:55:26 org.apache.catalina.startup.Catalina load
GRAVE: Catalina.start
LifecycleException:  L'initialisation du gestionnaire de protocole a échoué: java.io.IOException: Invalid keystore format
        at org.apache.catalina.connector.Connector.initialize(Connector.java:1018)
        at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
        at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:791)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:266)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
2 avr. 2008 16:55:26 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1987 ms
2 avr. 2008 16:55:27 org.apache.catalina.core.StandardService start
INFO: Démarrage du service Catalina
...


When using Sun's JRE 1.5 instead, it works fine (without modifying the keystore).

I see this also reported at:
http://www.mail-archive.com/users@xxxxxxxxxxxxxxxxx/msg40851.html
where the user installed JRE 1.6 instead of IcedTea to make things work.

I don't see this bug reported in bugzilla (search "keystore" returned
zarro bugs), so I'm reporting it.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/224455/comments/0

------------------------------------------------------------------------
On 2008-07-20T23:20:29+00:00 Gnu-andrew-n wrote:

There were some certificate-related patches being applied back then that
have now changed.  May be worth retrying with current IcedTea.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/224455/comments/8

------------------------------------------------------------------------
On 2008-11-05T20:57:33+00:00 Sylvain Beucler wrote:

I confirm that it works now.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/224455/comments/9

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/224455

Title:
  open jdk 6 truststore points to privileged access area

Status in GlassFish:
  Unknown
Status in Iced Tea:
  Invalid
Status in “openjdk-6” package in Ubuntu:
  Fix Released

Bug description:
  open jdk 6 truststore setting "javax.net.ssl.trustStore" i.e
  "/etc/ssl/certs/ca-certificates.crt " points to an area in the
  filesystem (/etc/ssl) that usually requires privileged access for
  read, write and execute.

  So any app run as a regular user that were to implicitly depend on the
  default truststore could end up not working in Ubuntu unless they
  overrode with a custom system prop which they were not earlier doing.
  This may be a problem for Java apps that did not have such an setting
  made earlier.

  Seems to be by the following icedtea patch,
  http://icedtea.classpath.org/hg/icedtea6/file/d0081b7856c8/patches/icedtea-certbundle.patch 

  The "javax.net.ssl.trustStorePassword" has been set to an empty string
  too. Why?

To manage notifications about this bug go to:
https://bugs.launchpad.net/glassfish/+bug/224455/+subscriptions
References

[Bug 224455] [NEW] open jdk 6 truststore points to privileged access area
From: Nitya Doraisamy, 2008-04-29