Re: lang/openjdk11 certificates

To: Jonathan Perkin <jperkin%joyent.com@localhost>
Subject: Re: lang/openjdk11 certificates
From: Ryo ONODERA <ryo%tetera.org@localhost>
Date: Tue, 26 Jan 2021 23:30:36 +0900

Hi,

Jonathan Perkin <jperkin%joyent.com@localhost> writes:

> * On 2021-01-26 at 13:55 GMT, Ryo ONODERA wrote:
>
>> David Brownlee <abs%absd.org@localhost> writes:
>> 
>> > On Sun, 24 Jan 2021 at 00:34, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>> >>
>> >> Is anyone able to use lang/openjdk11 to do any https connections ?
>> >>
>> >> Trying to use maven with it results in an error that trustAnchors are
>> >> empty.
>> >>
>> >> Using lang/openjdk8 does work.
>> >
>> > I think that while both openjdk8 and openjdk11 build a default set of
>> > certificates, only openjdk8 installs them (running up a test to try to
>> > add them to the openjdk11 package this end to see if it affects the
>> > behaviour)
>> 
>> I think cecerts file is installed as java/openjdk11/lib/security/cecrts,
>> however it is not used properly.
>> 
>> cecerts's password is "changeit" and it is as same as jdk's default
>> password, and the password should be used automatically.
>> 
>> If you specify the password explicitly, SSL/TLS error will disappear
>> like:
>> 
>> $ openjdk11-java -Djavax.net.ssl.trustStorePassword=changeit -jar josm-tested.jar
>> 
>> I do not find any clue to fix this problem yet.
>
> The options used in our (Joyent) openjdk11 build are slightly
> different:
>
>   https://github.com/joyent/pkgsrc-joyent/blob/master/openjdk11/Makefile#L109-L124
>
> You could try those, notably this fix:
>
>   https://github.com/joyent/pkgsrc-joyent/commit/5102e341158451963781108f91aea350f567d4d0

As you suggest, using jks type cacerts will work.
I think that keystore.type=pkcs12 in
/usr/pkg/java/openjdk11/conf/security/java.security
should be converted to keystore.type=jsk too.

I cannot find any patch to change keystore.type in
pkgsrc-joyent/blob/master/openjdk11.
This kind of patch is not required?

Anyway I will try to add "-storetype jsk".

Thank you.

> Cheers,
>
> -- 
> Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

-- 
Ryo ONODERA // ryo%tetera.org@localhost
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

Follow-Ups:
- Re: lang/openjdk11 certificates
  - From: Ryo ONODERA

References:
- lang/openjdk11 certificates
  - From: Robert Swindells
- Re: lang/openjdk11 certificates
  - From: David Brownlee
- Re: lang/openjdk11 certificates
  - From: Ryo ONODERA
- Re: lang/openjdk11 certificates
  - From: Jonathan Perkin

Prev by Date: Re: lang/openjdk11 certificates
Next by Date: graphviz build problems.
Previous by Thread: Re: lang/openjdk11 certificates
Next by Thread: Re: lang/openjdk11 certificates
Indexes:

Home | Main Index | Thread Index | Old Index