Re: lang/openjdk11 certificates

To: Jonathan Perkin <jperkin%joyent.com@localhost>
Subject: Re: lang/openjdk11 certificates
From: Ryo ONODERA <ryo%tetera.org@localhost>
Date: Wed, 27 Jan 2021 00:07:32 +0900

Hi,

Ryo ONODERA <ryo%tetera.org@localhost> writes:

> Hi,
>
> Jonathan Perkin <jperkin%joyent.com@localhost> writes:
>
>> * On 2021-01-26 at 13:55 GMT, Ryo ONODERA wrote:
>>
>>> David Brownlee <abs%absd.org@localhost> writes:
>>> 
>>> > On Sun, 24 Jan 2021 at 00:34, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>>> >>
>>> >> Is anyone able to use lang/openjdk11 to do any https connections ?
>>> >>
>>> >> Trying to use maven with it results in an error that trustAnchors are
>>> >> empty.
>>> >>
>>> >> Using lang/openjdk8 does work.
>>> >
>>> > I think that while both openjdk8 and openjdk11 build a default set of
>>> > certificates, only openjdk8 installs them (running up a test to try to
>>> > add them to the openjdk11 package this end to see if it affects the
>>> > behaviour)
>>> 
>>> I think cecerts file is installed as java/openjdk11/lib/security/cecrts,
>>> however it is not used properly.
>>> 
>>> cecerts's password is "changeit" and it is as same as jdk's default
>>> password, and the password should be used automatically.
>>> 
>>> If you specify the password explicitly, SSL/TLS error will disappear
>>> like:
>>> 
>>> $ openjdk11-java -Djavax.net.ssl.trustStorePassword=changeit -jar josm-tested.jar
>>> 
>>> I do not find any clue to fix this problem yet.
>>
>> The options used in our (Joyent) openjdk11 build are slightly
>> different:
>>
>>   https://github.com/joyent/pkgsrc-joyent/blob/master/openjdk11/Makefile#L109-L124
>>
>> You could try those, notably this fix:
>>
>>   https://github.com/joyent/pkgsrc-joyent/commit/5102e341158451963781108f91aea350f567d4d0
>
> As you suggest, using jks type cacerts will work.
> I think that keystore.type=pkcs12 in
> /usr/pkg/java/openjdk11/conf/security/java.security
> should be converted to keystore.type=jsk too.
>
> I cannot find any patch to change keystore.type in
> pkgsrc-joyent/blob/master/openjdk11.
> This kind of patch is not required?

It seems that "keystore.type=jsk" is not required.
I will commit "-storetype jsk".

Thank you.

> Anyway I will try to add "-storetype jsk".
>
> Thank you.
>
>> Cheers,
>>
>> -- 
>> Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com
>
> -- 
> Ryo ONODERA // ryo%tetera.org@localhost
> PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

-- 
Ryo ONODERA // ryo%tetera.org@localhost
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

References:
- lang/openjdk11 certificates
  - From: Robert Swindells
- Re: lang/openjdk11 certificates
  - From: David Brownlee
- Re: lang/openjdk11 certificates
  - From: Ryo ONODERA
- Re: lang/openjdk11 certificates
  - From: Jonathan Perkin
- Re: lang/openjdk11 certificates
  - From: Ryo ONODERA

Prev by Date: graphviz build problems.
Next by Date: Re: xentools413 not building (NetBSD-current, pkgsrc-current)
Previous by Thread: Re: lang/openjdk11 certificates
Next by Thread: Build problems in graphviz and xentools413
Indexes:

Home | Main Index | Thread Index | Old Index