Backport fix for PR1161 to icedtea-web 1.3

Adam Domurad adomurad at redhat.com
Thu Oct 11 06:39:44 PDT 2012 

On 10/10/2012 05:18 PM, Deepak Bhole wrote:
> Hi,
>
> I would like to backport the fix for PR1161 to icedtea-web 1.3 in order
> to do a new release. The issue affects icedtea-web running on Java 7:
>
> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-September/020228.html
> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1161
>
> I am attaching the final approved version that went into head. It
> applies to 1.3 with some fuzz. OK for 1.3?
>
> ChangeLog:
>
>      PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
>      * Makefile.am: If building with JDK 6, don't build
>      VariableX509TrustManagerJDK7.
>      * NEWS: Updated.
>      * acinclude.m4: In addition to setting VERSION_DEFS, also set HAVE_JAVA7
>      if building with JDK7.
>      * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java (initialize): Use new
>      getSSLSocketTrustManager() method to get the trust manager.
>      (getSSLSocketTrustManager): New method. Depending on runtime JRE version,
>      returns the appropriate trust manager.
>      * netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java: Removed
>      unused tm variable.
>      * netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java: No
>      longer extends com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager.
>      (checkClientTrusted): Renamed to checkTrustClient and removed overloaded
>      implementations.
>      (checkServerTrusted): Renamed to checkTrustServer. Also, modified to
>      accept socket and engine (may be null). Assume that CN is mismatched by
>      default, rather than matched. If explicitly trusted, bypass other checks,
>      including CN mismatch.
>      (checkAllManagers): Modified to accept socket and engine. Modified to work
>      for both JDK6 and JDK7.
>      (getAcceptedIssuers): Make protected (called by others in package).
>      * netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java:
>      New class -- X509TrustManager for JDK6.
>      * netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java:
>      New class -- X509TrustManager for JDK7.
>
>
> Thanks,
> Deepak

Haven't looked into it in detail but I don't see any reason it shouldn't 
go in. We'll catch anything in testing regardless.

OK for 1.3 from me.

- Adam

More information about the distro-pkg-dev mailing list