[Bug 229329] java/openjdk8: allow user to trust extra local certificates

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

            Bug ID: 229329
           Summary: java/openjdk8: allow user to trust extra local
                    certificates
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: [hidden email]
          Reporter: [hidden email]
             Flags: maintainer-feedback?([hidden email])
          Assignee: [hidden email]

This is a clone of Bug 160387 for Java:

my company maintains internal CAs which is distributed with the cacerts
(Oracle-provided + ours) with the company-wide JRE distribution. I need those
cacers on our BSD servers too, copied it and have:

Checking for packages with mismatched checksums:
openjdk-7.161.01,1: /usr/local/openjdk7/jre/lib/security/cacerts
openjdk8-8.172.11: /usr/local/openjdk8/jre/lib/security/cacerts

Please some means for a custom/mergeable cacerts.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

maintainer-feedback requested: [Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
Bugzilla Automation <[hidden email]> has asked freebsd-java mailing list
<[hidden email]> for maintainer-feedback:
Bug 229329: java/openjdk8: allow user to trust extra local certificates
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329



--- Description ---
This is a clone of Bug 160387 for Java:

my company maintains internal CAs which is distributed with the cacerts
(Oracle-provided + ours) with the company-wide JRE distribution. I need those
cacers on our BSD servers too, copied it and have:

Checking for packages with mismatched checksums:
openjdk-7.161.01,1: /usr/local/openjdk7/jre/lib/security/cacerts
openjdk8-8.172.11: /usr/local/openjdk8/jre/lib/security/cacerts

Please some means for a custom/mergeable cacerts.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

Palle Girgensohn <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
             Status|New                         |Open

--- Comment #1 from Palle Girgensohn <[hidden email]> ---
The problem is really a general problem with how this is designed in Java. I am
inclined to refuse this suggestion since it would now be compatible with other
OS:es javas.

The preferred way to do this in Java is
`java -Djavax.net.ssl.trustStore=/home/girgen/mycacerts` or similar.

I agree that this sucks, but fixing it only for FreeBSD is not the best option,
IMO. Feel free to disagree. :)

Palle

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

--- Comment #2 from Palle Girgensohn <[hidden email]> ---
(In reply to Palle Girgensohn from comment #1)
Misspelt: ... would NOT be compatible... sorry for the confusion.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

--- Comment #3 from Michael Osipov <[hidden email]> ---
> The problem is really a general problem with how this is designed in Java. I am inclined to refuse this suggestion since it would now be compatible with other OS:es javas.

I do not fully agree because other OSes do derive cacerts from Mozilla's public
list. OpenJDK does not yet include a cacerts. BTW, RHEL provides an overly
complex option to solve bug 229329.

> -Djavax.net.ssl.trustStore=/home/girgen/mycacerts

Isn't really an option because I would miss all public CAs. It'd be
cat-and-mice-game to chase both which I don't want to do. Moreover, hooking
this into each and very possible application is a pain.

I'd like to hear Greg Lewis stance on this and since 229329 has not been
rejected yet, I'd be fair to keep this one open. I guess I am not the only
idiot having this problem.

At best 229329 would be resolved and the ports system would derive the cacarts
from the ca_root_nss: https://packages.ubuntu.com/bionic/ca-certificates-java

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

Palle Girgensohn <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #4 from Palle Girgensohn <[hidden email]> ---
(In reply to Michael Osipov from comment #3)

I was not aware that the cacert list in java didn't come from openjdk. I see
now that is locally maintained in $FILESDIR/cacerts. This is probably since it
is copied into $PREFIX/openjdk8/jre/lib/security/ and we want the openjdk8
package to be consistently build for a certain version of the port.

Deriving the OpenJDK CA roots file from security/ca_root_nss is probably equal
yo getting it from https://packages.ubuntu.com/bionic/ca-certificates-java and
this is problaby what happens except it is done manually when the port is
updated. It would not help you with your problem, since it would still give you
the same problems with "mismatched checksums" warnings if you added your own
CA:s to it.

Now, with a local copy of the list, you could manage the suggested "local" list
"/home/girgen/cacerts" by copying the "big" cacert list from ubuntu *or*
ca_root_nss *or* OpenJDK:s built-in cacerts, and adding your own CA:s at the
end, just as you are doing now except using a different file. By using your own
file you would not get pkg nagging about checksums. Still this is a hassle in
that every java application needs this
`-Djavax.net.ssl.trustStore=/home/girgen/mycacerts` flag, but I still think
that is a general Java problem that should not be handled for one platform.

You can of course choose to ignore the checksum warnings, but there is no easy
way around the fact that editing a file installed by the package system will
render a checksum error if you manually change that. Also, every time you
update java, you need to re-add your additions.

Still, I'm open to suggestions. Greg's input would of course also be valuable.
You are definitely not the only one with this problem!

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

--- Comment #5 from Michael Osipov <[hidden email]> ---
(In reply to Palle Girgensohn from comment #4)

Switching to security/ca_root_nss would solve my problem if and only if bug
160387 would be resolved. It would make cert usage on the system consistent
across implementations within a company.

What I did for the moment is

> $ svn diff /usr/ports/security/ca_root_nss/
> Index: /usr/ports/security/ca_root_nss/Makefile
> ===================================================================
> --- /usr/ports/security/ca_root_nss/Makefile    (Revision 473303)
> +++ /usr/ports/security/ca_root_nss/Makefile    (Arbeitskopie)
> @@ -54,6 +54,7 @@
>                 ${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \
>             < ${WRKDIR}/certdata.txt > \
>             ${WRKDIR}/ca-root-nss.crt
> +       @${CAT} ${FILESDIR}/siemens_ca_certificates.pem >> ${WRKDIR}/ca-root-nss.crt
>
>  do-install:
>         ${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR}


Ignoring cert errors is absolutely not an option.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

Mark Felder <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #6 from Mark Felder <[hidden email]> ---
(In reply to Palle Girgensohn from comment #1)

I disagree. CentOS/RHEL have solved this problem which makes them a great
platform for Enterprise Java apps. It's our responsibility to solve this
ourselves. Please see this review:

https://reviews.freebsd.org/D16352

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

--- Comment #7 from Michael Osipov <[hidden email]> ---
(In reply to Mark Felder from comment #6)
Is there anything I can do to make this happen? I have proposed a few changes
to the differential as well as a very elaborated usecase from work.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply
In reply to this post by bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

--- Comment #8 from Michael Osipov <[hidden email]> ---
For those who care: If all goes well, Java 14 will move cacerts keystore to a
PEM file just like OpenSSL uses:
http://cr.openjdk.java.net/~weijun/8162628/webrev.00/

I have initiated this change. The original idea was to move to a passwordless
PKCS12 keystore which I have vetoed.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-java
To unsubscribe, send any mail to "[hidden email]"