[security-dev 01725]: Re: Please review new regression test for java.net.* API
Sean Mullan
Sean.Mullan at Sun.COM
Mon Mar 22 15:41:07 UTC 2010
Andrew John Hughes wrote:
> On 18 March 2010 21:12, Christopher Hegarty -Sun Microsystems Ireland
> <Christopher.Hegarty at sun.com> wrote:
>> Andrew John Hughes wrote:
>>> On 18 March 2010 20:56, Christopher Hegarty -Sun Microsystems Ireland
>>> <Christopher.Hegarty at sun.com> wrote:
>>>> Brad, Pavel, Andrew,
>>>>
>>>> I'm also not comfortable with this test, but what bothers me more than
>>>> the
>>>> reliance on an external server is the reliance on cacerts. While cacerts
>>>> (or
>>>> equivalent) is not part of OpenJDK I don't think it makes sense adding a
>>>> test to OpenJDK that has a reliance on it.
>>>>
>>>> For now I think is makes more sense to add a test like this to wherever
>>>> in
>>>> the build process cacerts (or equivalent) is added.
>>>>
>>> The problem is nothing does in the OpenJDK build process. So SSL is
>>> always broken for OpenJDK builds. Is this something we really want?
>> This is certainly not ideal, but is a separate issue to the test, right? It
>> seems Sean or someone in the security team should comment on the possibility
>> of adding root CA's to OpenJDK, until then I don't see any requirement for a
>> test.
I don't have an answer right now - this will take some more investigation first.
> My thoughts too. We have a solution for GNU/Linux where cacerts is
> populated from the crt files found on the system (installed by Mozilla
> and the like). I don't know what the equivalent would be for Windows
> and Solaris though. A quick look on my OpenSolaris box didn't find
> any crt files but I only looked in installed packages. I presume
> firefox may bring some in if it's available.
On Windows you can use the "Windows-ROOT" KeyStore type, ex:
keytool -list -keystore NONE -storetype Windows-ROOT
I haven't tried it, but you could probably use the keytool -importkeystore
option to import all of these certs into the cacerts file.
On Solaris, you could use the /usr/java/jre/lib/security/cacerts file.
--Sean
More information about the security-dev
mailing list