FS#55716 - [jre9-openjdk-headless] SSL does not work due to keystore being empty
Attached to Project:
Arch Linux
Opened by Gianluca Nitti (gianluca_n) - Saturday, 23 September 2017, 13:04 GMT
Last edited by Guillaume ALAUX (galaux) - Saturday, 23 September 2017, 15:18 GMT
Opened by Gianluca Nitti (gianluca_n) - Saturday, 23 September 2017, 13:04 GMT
Last edited by Guillaume ALAUX (galaux) - Saturday, 23 September 2017, 15:18 GMT
|
Details
Description:
The SSL certificate store file (/usr/lib/jvm/java-9-openjdk/lib/security/cacerts) is does not contain any certificate. This leads to an "java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty" exception being thrown every time a Java program tries to open an SSL connection (for example an HTTPS request). In OpenJDK 8 the certificate store file (/usr/lib/jvm/java-8-openjdk/jre/lib/security/cacerts) was a symbolic link to /etc/ssl/certs/java/cacerts, which contains the certs (this can be verified by running the command "keytool -list -keystore /usr/lib/jvm/java-8-openjdk/jre/lib/security/cacerts"; if it asks for a password, just leave it empty and press enter). In OpenJDK 9, however, /usr/lib/jvm/java-9-openjdk/lib/security/cacerts is an empty certificate store file (you can see it with "keytool -list -keystore /usr/lib/jvm/java-9-openjdk/lib/security/cacerts"). A quick workaround to make it work is to rename that file (for example to cacerts-bkp) and create the link to the correct certificate store with the command "ln -s /etc/ssl/certs/java/cacerts /usr/lib/jvm/java-9-openjdk/lib/security/cacerts". Additional info: * package version: jre9-openjdk-headless 9.u181-1 Steps to reproduce: Try to perform an SSL request using any Java program when java-9-openjdk is set as default Java environment, it won't work. For example you can use the simple attached program, which should download the archlinux.org homepage over HTTPS: * use Java 8 first to have a proof it works: run (as root) "archlinux-java set java-8-openjdk" * compile it with "javac HttpsTest.java" * run it with "java HttpsTest"; wait a while and you should see the HTML source of https://archlinux.org * now switch to OpenJDK 9 with "archlinux-java set java-9-openjdk" * try a "java HttpsTest" again and you'll get an exception |
This task depends upon
Closed by Guillaume ALAUX (galaux)
Saturday, 23 September 2017, 15:18 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 9.u181-2
Saturday, 23 September 2017, 15:18 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 9.u181-2
Comment by
Guillaume ALAUX (galaux) - Saturday,
23 September 2017, 15:10 GMT
#PerfectBugReport