RFR: 8344924: Default CA certificates loaded despite request to use custom keystore
Kevin Driver
kdriver at openjdk.org
Tue Dec 10 18:20:38 UTC 2024
On Sat, 7 Dec 2024 06:41:41 GMT, Alan Bateman <alanb at openjdk.org> wrote:
>> A regression was introduced by [JDK-8338383](https://bugs.openjdk.org/browse/JDK-8338383). Remove the forced static eager initialization.
>
> Would it be possible to create some follow-up issues to re-visit the class initialisers and the coarseness of locking in this area? As noted in the bug, the use of class locks is surprising.
>
> Also I'm not sure about saying "regression". I assume the only negative impact of eager initialising AnchorCertificates is when using a custom implementation. In that case, the default truststore is needlessly loaded, is that right?
@AlanBateman, sure, I can create some follow-up issues.
Unfortunately, I do feel that this was to fix a regression. Using a custom trust store is quite common, I believe, and the previous change broke that functionality.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22616#issuecomment-2532534690
More information about the security-dev
mailing list