[icedtea-web] RFC: fix RH677772 - NoSuchAlgorithmException using SSL/TLS in javaws

Omair Majid omajid at redhat.com
Wed Feb 23 08:35:34 PST 2011


Hi,

I have attached a patch to fix RH677772 [1]. Please note that I am 
particularly concerned as it is reverting a patch [2] that was added to 
fix another (quite similar) bug, RH524387 [3].

As this new bug shows, there are issues with the current system. To fix 
these, we will have to whitelist all possible classes/method that are 
allowed at this place. And I am not sure at all how to determine these 
classes/methods. I especially dont think this is maintainable (all the 
more so if you consider third party code which we have no idea about).

The real problem, I think, is that we are not granting full permissions 
to code originating from jre/lib/ext (which the default java.policy file 
does). If we do that, then all code that's installed there (3rd party 
JCE providers, proprietary jars, or really anything) will run with 
proper permissions, and we wont even need to deal with the current 
system of whitelisting. This is what the proposed patch does.

I hope that explains why we should just grant appropriate permissions to 
code loaded from jre/lib/ext and let java's normal security mechanism 
handle everything from then on.

Any thoughts or comments on the patch?

Thanks,
Omair

[1] https://bugzilla.redhat.com/show_bug.cgi?id=677772
[2] http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=6d1e2fae468a
[3] https://bugzilla.redhat.com/show_bug.cgi?id=524387
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nosuchalgorithmexception-03.patch
Type: text/x-patch
Size: 4964 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110223/309ab6d0/nosuchalgorithmexception-03.patch 


More information about the distro-pkg-dev mailing list