Missing root CAs in cacerts

Dalibor Topic dalibor.topic at oracle.com
Mon May 18 15:17:09 UTC 2020


On 14.05.2020 19:44, Andreas Ahlenstorf wrote:
> Hi!
> 
> At AdoptOpenJDK, we get support requests because root CAs are missing from the bundled cacerts file (lib/security/cacerts). We ship the same cacerts file as OpenJDK. As a result, our users cannot connect to various servers using Java's built-in APIs while their browsers can. An example URL that fails is https://api.insee.fr/catalogue/ (root CA: Certigna).
> 
> Replacing the bundled cacerts file with one generated from Mozilla's list of trusted CAs [1] fixes the problem. [2] contains the full analysis based on OpenJDK 14.0.1 including an executable test case.
> 
> Questions:
> 
> * Does OpenJDK want to do something about that?

Hi,

only Mozilla could contribute its code to OpenJDK, so unless that 
happens, the question is somewhat moot.

As far as there being differences between different OpenJDK and 
different browsers goes, that's always going to be the case, regardless 
of the preferred source of root CAs.

Simply put, there are many differences between what root CAs each 
browser and OS vendor includes in their products. See 
https://publications.sba-research.org/publications/SSL.pdf for an
example of research looking into that.

cheers,
dalibor topic

> * Is there interest for a collaboration in that area, especially by other distributors of OpenJDK like Azul, BellSoft?
> 
> Commentary:
> 
>  From a end user's perspective, it is inscrutable why it is possible to connect to a website using their browser, curl, but not Java. While there might be some differences because of policy, OpenJDK should strive to match the browser's list of trusted CAs a closely as possible. As of OpenJDK 14.0.1, cacerts contains 93 entries while Mozilla's list contains 138.
> 
> Best,
> Andreas
> 
> [1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
> [2] https://github.com/AdoptOpenJDK/openjdk-support/issues/13#issuecomment-626147267
> 

-- 
<http://www.oracle.com> Dalibor Topic
Consulting Product Manager
Phone: +494089091214 <tel:+494089091214>, Mobile: +491737185961
<tel:+491737185961>, Video: dalibor.topic at oracle.com
<sip:dalibor.topic at oracle.com>

Oracle Global Services Germany GmbH
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRB 246209
Geschäftsführer: Ralf Herrmann



More information about the jdk-dev mailing list