Missing root CAs in cacerts

Weijun Wang weijun.wang at oracle.com
Sat May 16 04:06:28 UTC 2020 

The update-ca-trust command on Red Hat Linux (and Oracle Linux) import certs from multiple sources and is able to generate a Java keystore at /etc/pki/java/cacerts. Last time I checked on one of our machine in OCI, it contains 54 certs not in the OpenJDK's cacerts file and OpenJDK's cacerts has 12 not there.

--Max

p.s. OpenJDK has 93 certs now.

> On May 15, 2020, at 5:52 PM, Magnus Ihse Bursie <magnus.ihse.bursie at oracle.com> wrote:
> 
> On 2020-05-14 19:44, Andreas Ahlenstorf wrote:
>> Hi!
>> 
>> At AdoptOpenJDK, we get support requests because root CAs are missing from the bundled cacerts file (lib/security/cacerts). We ship the same cacerts file as OpenJDK. As a result, our users cannot connect to various servers using Java's built-in APIs while their browsers can. An example URL that fails is https://api.insee.fr/catalogue/ (root CA: Certigna).
>> 
>> Replacing the bundled cacerts file with one generated from Mozilla's list of trusted CAs [1] fixes the problem. [2] contains the full analysis based on OpenJDK 14.0.1 including an executable test case.
>> 
>> Questions:
>> 
>> * Does OpenJDK want to do something about that?
>> * Is there interest for a collaboration in that area, especially by other distributors of OpenJDK like Azul, BellSoft?
>> 
>> Commentary:
>> 
>> From a end user's perspective, it is inscrutable why it is possible to connect to a website using their browser, curl, but not Java. While there might be some differences because of policy, OpenJDK should strive to match the browser's list of trusted CAs a closely as possible. As of OpenJDK 14.0.1, cacerts contains 93 entries while Mozilla's list contains 138.
> From my personal point of view, it seems to make sense to use the Mozilla list. We already use e.g. the Mozilla Public Suffix List, which is a well-handled curated list.
> 
> However, a change of the set of root CAs can certainly have user implications. Have you analyzed which CAs Mozilla is shipping that OpenJDK is missing? And -- even more importantly to avoid regressions for OpenJDK users -- is OpenJDK currently shipping any root CA certificates that Mozilla is missing?
> 
> /Magnus
>> 
>> Best,
>> Andreas
>> 
>> [1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>> [2] https://github.com/AdoptOpenJDK/openjdk-support/issues/13#issuecomment-626147267

More information about the jdk-dev mailing list