Missing root CAs in cacerts
weijun.wang at oracle.com
Sat May 16 04:06:28 UTC 2020
The update-ca-trust command on Red Hat Linux (and Oracle Linux) import certs from multiple sources and is able to generate a Java keystore at /etc/pki/java/cacerts. Last time I checked on one of our machine in OCI, it contains 54 certs not in the OpenJDK's cacerts file and OpenJDK's cacerts has 12 not there.
p.s. OpenJDK has 93 certs now.
> On May 15, 2020, at 5:52 PM, Magnus Ihse Bursie <magnus.ihse.bursie at oracle.com> wrote:
> On 2020-05-14 19:44, Andreas Ahlenstorf wrote:
>> At AdoptOpenJDK, we get support requests because root CAs are missing from the bundled cacerts file (lib/security/cacerts). We ship the same cacerts file as OpenJDK. As a result, our users cannot connect to various servers using Java's built-in APIs while their browsers can. An example URL that fails is https://api.insee.fr/catalogue/ (root CA: Certigna).
>> Replacing the bundled cacerts file with one generated from Mozilla's list of trusted CAs  fixes the problem.  contains the full analysis based on OpenJDK 14.0.1 including an executable test case.
>> * Does OpenJDK want to do something about that?
>> * Is there interest for a collaboration in that area, especially by other distributors of OpenJDK like Azul, BellSoft?
>> From a end user's perspective, it is inscrutable why it is possible to connect to a website using their browser, curl, but not Java. While there might be some differences because of policy, OpenJDK should strive to match the browser's list of trusted CAs a closely as possible. As of OpenJDK 14.0.1, cacerts contains 93 entries while Mozilla's list contains 138.
> From my personal point of view, it seems to make sense to use the Mozilla list. We already use e.g. the Mozilla Public Suffix List, which is a well-handled curated list.
> However, a change of the set of root CAs can certainly have user implications. Have you analyzed which CAs Mozilla is shipping that OpenJDK is missing? And -- even more importantly to avoid regressions for OpenJDK users -- is OpenJDK currently shipping any root CA certificates that Mozilla is missing?
>>  https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>>  https://github.com/AdoptOpenJDK/openjdk-support/issues/13#issuecomment-626147267
More information about the jdk-dev