[security-dev 01709]: Re: Please review new regression test for java.net.* API

Christopher Hegarty -Sun Microsystems Ireland Christopher.Hegarty at Sun.COM
Thu Mar 18 20:56:37 UTC 2010 

Brad, Pavel, Andrew,

I'm also not comfortable with this test, but what bothers me more than 
the reliance on an external server is the reliance on cacerts. While 
cacerts (or equivalent) is not part of OpenJDK I don't think it makes 
sense adding a test to OpenJDK that has a reliance on it.

For now I think is makes more sense to add a test like this to wherever 
in the build process cacerts (or equivalent) is added.

-Chris

Andrew John Hughes wrote:
> On 18 March 2010 18:40, Brad Wetmore <Bradford.Wetmore at sun.com> wrote:
>> I have a couple important tasks to finish ASAP, so if there is more
>> discussion, I'll have to jump in sometime next week, but wanted to add
>> one thing before anything was done:
>>
>> Pavel wrote:
>>> And we can use other URL if verisign.com is problematic.
>> We've tried to limit the reliance on servers outside our control for the
>> open tests and to be as self-contained as possible, tho I'm sure there
>> are still some tests that do this anyway.  IMHO, it's not exactly
>> neighborly of OpenJDK to include tests that just bang on someone's
>> server(s) for "testing", even if the volume isn't terribly high.  I
>> think we should check with the server's admin before we included such a
>> test in the general repository.
>>
>> In the past we've also had transient network errors (servers or network
>> down), so that was another reason to limit our external dependencies.
>> But they still had to be investigated and took time.
>>
> 
> https://jaxp.dev.java.net/files/documents/913/147490 seems an
> appropriate URL to hit.  It's the very URL that causes the OpenJDK
> build to fail to bootstrap itself and I assume Oracle do control
> dev.java.net to some degree.
> 
>> Brad
>>
>>
>>
>>
>>
>>
>> On 3/18/2010 8:50 AM, Pavel Tisnovsky wrote:
>>> Christopher Hegarty -Sun Microsystems Ireland wrote:
>>>> Alan Bateman wrote:
>>>>> Pavel Tisnovsky wrote:
>>>>>> Hi,
>>>>>>
>>>>>> please review new regression test for java.net.* API. This test
>>>>>> check if the cacerts keytool database is configured properly and SSL
>>>>>> is really working. The test should not fail if SSL is working (in
>>>>>> other case it simply throws IOException). Webrev si available at
>>>>>> http://cr.openjdk.java.net/~ptisnovs/TestHttps/
>>>>>>
>>>>>> Thanks in advance
>>>>>> Pavel Tisnovsky
>>>>> I suspect the dependency on verisign.com will be problematic.  Isn't
>>>>> SSL already covered by the javax.net and https tests?
>>>> I'm not sure what the prime motivation of the test is. Pavel, can you
>>>> please elaborate?
>>>>
>>>> Reading between the lines I guess the test is verifying that the
>>>> correct  root Certification Authority is installed in cacerts, i.e.
>>>> the cert from www.verisign.com can be validated.
>>> Hi Chris, you guessed correctly :-) And we can use other URL if
>>> verisign.com is problematic.
>>>
>>>> Alan is correct there are already tests for SSL/Https in javax.net,
>>>> but I believe these use self signed certs, no dependency on cacerts.
>>>>
>>>> -Chris.
>>>>
>>>>> -Alan.
> 
> 
>

More information about the security-dev mailing list