Date: Mon, 25 Jun 2018 15:31:34 +0000 From: bugzilla-noreply@freebsd.org To: java@FreeBSD.org Subject: [Bug 229329] java/openjdk8: allow user to trust extra local certificates Message-ID: <bug-229329-8522-HQpghZtyU4@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-229329-8522@https.bugs.freebsd.org/bugzilla/> References: <bug-229329-8522@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329 Palle Girgensohn <girgen@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glewis@FreeBSD.org --- Comment #4 from Palle Girgensohn <girgen@FreeBSD.org> --- (In reply to Michael Osipov from comment #3) I was not aware that the cacert list in java didn't come from openjdk. I see now that is locally maintained in $FILESDIR/cacerts. This is probably since it is copied into $PREFIX/openjdk8/jre/lib/security/ and we want the openjdk8 package to be consistently build for a certain version of the port. Deriving the OpenJDK CA roots file from security/ca_root_nss is probably equal yo getting it from https://packages.ubuntu.com/bionic/ca-certificates-java and this is problaby what happens except it is done manually when the port is updated. It would not help you with your problem, since it would still give you the same problems with "mismatched checksums" warnings if you added your own CA:s to it. Now, with a local copy of the list, you could manage the suggested "local" list "/home/girgen/cacerts" by copying the "big" cacert list from ubuntu *or* ca_root_nss *or* OpenJDK:s built-in cacerts, and adding your own CA:s at the end, just as you are doing now except using a different file. By using your own file you would not get pkg nagging about checksums. Still this is a hassle in that every java application needs this `-Djavax.net.ssl.trustStore=/home/girgen/mycacerts` flag, but I still think that is a general Java problem that should not be handled for one platform. You can of course choose to ignore the checksum warnings, but there is no easy way around the fact that editing a file installed by the package system will render a checksum error if you manually change that. Also, every time you update java, you need to re-add your additions. Still, I'm open to suggestions. Greg's input would of course also be valuable. You are definitely not the only one with this problem! -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229329-8522-HQpghZtyU4>