Missing root CAs in cacerts

[Magnus Ihse Bursie]

On 2020-05-14 19:44, Andreas Ahlenstorf wrote:
> Hi!
>
> At AdoptOpenJDK, we get support requests because root CAs are missing from the bundled cacerts file (lib/security/cacerts). We ship the same cacerts file as OpenJDK. As a result, our users cannot connect to various servers using Java's built-in APIs while their browsers can. An example URL that fails is https://api.insee.fr/catalogue/ (root CA: Certigna).
>
> Replacing the bundled cacerts file with one generated from Mozilla's list of trusted CAs [1] fixes the problem. [2] contains the full analysis based on OpenJDK 14.0.1 including an executable test case.
>
> Questions:
>
> * Does OpenJDK want to do something about that?
> * Is there interest for a collaboration in that area, especially by other distributors of OpenJDK like Azul, BellSoft?
>
> Commentary:
>
>  From a end user's perspective, it is inscrutable why it is possible to connect to a website using their browser, curl, but not Java. While there might be some differences because of policy, OpenJDK should strive to match the browser's list of trusted CAs a closely as possible. As of OpenJDK 14.0.1, cacerts contains 93 entries while Mozilla's list contains 138.
 From my personal point of view, it seems to make sense to use the 
Mozilla list. We already use e.g. the Mozilla Public Suffix List, which 
is a well-handled curated list.

However, a change of the set of root CAs can certainly have user 
implications. Have you analyzed which CAs Mozilla is shipping that 
OpenJDK is missing? And -- even more importantly to avoid regressions 
for OpenJDK users -- is OpenJDK currently shipping any root CA 
certificates that Mozilla is missing?

/Magnus
>
> Best,
> Andreas
>
> [1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
> [2] https://github.com/AdoptOpenJDK/openjdk-support/issues/13#issuecomment-626147267