[security-dev 01711]: Re: Please review new regression test for java.net.* API

Thu Mar 18 21:12:49 UTC 2010

Andrew John Hughes wrote:
> On 18 March 2010 20:56, Christopher Hegarty -Sun Microsystems Ireland
> <Christopher.Hegarty at sun.com> wrote:
>> Brad, Pavel, Andrew,
>>
>> I'm also not comfortable with this test, but what bothers me more than the
>> reliance on an external server is the reliance on cacerts. While cacerts (or
>> equivalent) is not part of OpenJDK I don't think it makes sense adding a
>> test to OpenJDK that has a reliance on it.
>>
>> For now I think is makes more sense to add a test like this to wherever in
>> the build process cacerts (or equivalent) is added.
>>
> 
> The problem is nothing does in the OpenJDK build process.  So SSL is
> always broken for OpenJDK builds.  Is this something we really want?

This is certainly not ideal, but is a separate issue to the test, right? 
It seems Sean or someone in the security team should comment on the 
possibility of adding root CA's to OpenJDK, until then I don't see any 
requirement for a test.

-Chris.

> 
>> -Chris
>>
>> Andrew John Hughes wrote:
>>> On 18 March 2010 18:40, Brad Wetmore <Bradford.Wetmore at sun.com> wrote:
>>>> I have a couple important tasks to finish ASAP, so if there is more
>>>> discussion, I'll have to jump in sometime next week, but wanted to add
>>>> one thing before anything was done:
>>>>
>>>> Pavel wrote:
>>>>> And we can use other URL if verisign.com is problematic.
>>>> We've tried to limit the reliance on servers outside our control for the
>>>> open tests and to be as self-contained as possible, tho I'm sure there
>>>> are still some tests that do this anyway.  IMHO, it's not exactly
>>>> neighborly of OpenJDK to include tests that just bang on someone's
>>>> server(s) for "testing", even if the volume isn't terribly high.  I
>>>> think we should check with the server's admin before we included such a
>>>> test in the general repository.
>>>>
>>>> In the past we've also had transient network errors (servers or network
>>>> down), so that was another reason to limit our external dependencies.
>>>> But they still had to be investigated and took time.
>>>>
>>> https://jaxp.dev.java.net/files/documents/913/147490 seems an
>>> appropriate URL to hit.  It's the very URL that causes the OpenJDK
>>> build to fail to bootstrap itself and I assume Oracle do control
>>> dev.java.net to some degree.
>>>
>>>> Brad
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 3/18/2010 8:50 AM, Pavel Tisnovsky wrote:
>>>>> Christopher Hegarty -Sun Microsystems Ireland wrote:
>>>>>> Alan Bateman wrote:
>>>>>>> Pavel Tisnovsky wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> please review new regression test for java.net.* API. This test
>>>>>>>> check if the cacerts keytool database is configured properly and SSL
>>>>>>>> is really working. The test should not fail if SSL is working (in
>>>>>>>> other case it simply throws IOException). Webrev si available at
>>>>>>>> http://cr.openjdk.java.net/~ptisnovs/TestHttps/
>>>>>>>>
>>>>>>>> Thanks in advance
>>>>>>>> Pavel Tisnovsky
>>>>>>> I suspect the dependency on verisign.com will be problematic.  Isn't
>>>>>>> SSL already covered by the javax.net and https tests?
>>>>>> I'm not sure what the prime motivation of the test is. Pavel, can you
>>>>>> please elaborate?
>>>>>>
>>>>>> Reading between the lines I guess the test is verifying that the
>>>>>> correct  root Certification Authority is installed in cacerts, i.e.
>>>>>> the cert from www.verisign.com can be validated.
>>>>> Hi Chris, you guessed correctly :-) And we can use other URL if
>>>>> verisign.com is problematic.
>>>>>
>>>>>> Alan is correct there are already tests for SSL/Https in javax.net,
>>>>>> but I believe these use self signed certs, no dependency on cacerts.
>>>>>>
>>>>>> -Chris.
>>>>>>
>>>>>>> -Alan.
>>>
>>>
> 
> 
> 