Date: Mon, 25 Jun 2018 15:31:34 +0000 From: bugzilla-noreply@freebsd.org To: java@FreeBSD.org Subject: [Bug 229329] java/openjdk8: allow user to trust extra local certificates Message-ID: <bug-229329-8522-HQpghZtyU4@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-229329-8522@https.bugs.freebsd.org/bugzilla/> References: <bug-229329-8522@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229329 Palle Girgensohn <girgen@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glewis@FreeBSD.org --- Comment #4 from Palle Girgensohn <girgen@FreeBSD.org> --- (In reply to Michael Osipov from comment #3) I was not aware that the cacert list in java didn't come from openjdk. I see now that is locally maintained in $FILESDIR/cacerts. This is probably since= it is copied into $PREFIX/openjdk8/jre/lib/security/ and we want the openjdk8 package to be consistently build for a certain version of the port. Deriving the OpenJDK CA roots file from security/ca_root_nss is probably eq= ual yo getting it from https://packages.ubuntu.com/bionic/ca-certificates-java = and this is problaby what happens except it is done manually when the port is updated. It would not help you with your problem, since it would still give= you the same problems with "mismatched checksums" warnings if you added your own CA:s to it. Now, with a local copy of the list, you could manage the suggested "local" = list "/home/girgen/cacerts" by copying the "big" cacert list from ubuntu *or* ca_root_nss *or* OpenJDK:s built-in cacerts, and adding your own CA:s at the end, just as you are doing now except using a different file. By using your= own file you would not get pkg nagging about checksums. Still this is a hassle = in that every java application needs this `-Djavax.net.ssl.trustStore=3D/home/girgen/mycacerts` flag, but I still thi= nk that is a general Java problem that should not be handled for one platform.= =20 You can of course choose to ignore the checksum warnings, but there is no e= asy way around the fact that editing a file installed by the package system will render a checksum error if you manually change that. Also, every time you update java, you need to re-add your additions. Still, I'm open to suggestions. Greg's input would of course also be valuab= le. You are definitely not the only one with this problem! --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229329-8522-HQpghZtyU4>