openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #12925
[Bug 1743139] Re: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
I'm not sure that changing the trust store password, or setting
javax.net.ssl.trustStorePassword by default, is the right way to fix
this. Oracle's JRE contains a keystore with the same password
("changeit") but doesn't require this property to be set.
I noticed that /etc/ssl/certs/java/cacerts in 18.04 is a PKCS12
keystore, whereas the keystore bundled with Oracle's JRE (as well as the
cacerts in 17.10) is a JKS keystore:
sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: PKCS12
sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: JKS
If I convert my cacerts file, then things start to work again:
sam@sam-desktop:~$ sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old
...
sam@sam-desktop:~$ sudo keytool -importkeystore -destkeystore /etc/ssl/certs/java/cacerts -deststoretype jks -deststorepass changeit -srckeystore /etc/ssl/certs/java/cacerts.old -srcstoretype pkcs12 -srcstorepass changeit
...
sam@sam-desktop:~$ java HttpsTester
Response code: 200
It worked!
Not sure why a PKCS12 keystore needs a password but a JKS one doesn't,
but maybe whatever is generating /etc/ssl/certs/java/cacerts just needs
to be changed to generate JKS keystores again?
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-9 in Ubuntu.
https://bugs.launchpad.net/bugs/1743139
Title:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
Status in openjdk-9 package in Ubuntu:
Confirmed
Bug description:
When trying to access anything using Java + HTTPS, the process is
terminated with an java.security.InvalidAlgorithmParameterException.
Adding -Djavax.net.ssl.trustStorePassword=changeit to the command line
flags of java fixes this problem.
Either the trust store's password should be changed, or this flag
sould be added by default.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-9/+bug/1743139/+subscriptions
References