Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Jun 2018 15:31:34 +0000
From:      bugzilla-noreply@freebsd.org
To:        java@FreeBSD.org
Subject:   [Bug 229329] java/openjdk8: allow user to trust extra local certificates
Message-ID:  <bug-229329-8522-HQpghZtyU4@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-229329-8522@https.bugs.freebsd.org/bugzilla/>
References:  <bug-229329-8522@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229329

Palle Girgensohn <girgen@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |glewis@FreeBSD.org

--- Comment #4 from Palle Girgensohn <girgen@FreeBSD.org> ---
(In reply to Michael Osipov from comment #3)

I was not aware that the cacert list in java didn't come from openjdk. I see
now that is locally maintained in $FILESDIR/cacerts. This is probably since=
 it
is copied into $PREFIX/openjdk8/jre/lib/security/ and we want the openjdk8
package to be consistently build for a certain version of the port.

Deriving the OpenJDK CA roots file from security/ca_root_nss is probably eq=
ual
yo getting it from https://packages.ubuntu.com/bionic/ca-certificates-java =
and
this is problaby what happens except it is done manually when the port is
updated. It would not help you with your problem, since it would still give=
 you
the same problems with "mismatched checksums" warnings if you added your own
CA:s to it.

Now, with a local copy of the list, you could manage the suggested "local" =
list
"/home/girgen/cacerts" by copying the "big" cacert list from ubuntu *or*
ca_root_nss *or* OpenJDK:s built-in cacerts, and adding your own CA:s at the
end, just as you are doing now except using a different file. By using your=
 own
file you would not get pkg nagging about checksums. Still this is a hassle =
in
that every java application needs this
`-Djavax.net.ssl.trustStore=3D/home/girgen/mycacerts` flag, but I still thi=
nk
that is a general Java problem that should not be handled for one platform.=
=20

You can of course choose to ignore the checksum warnings, but there is no e=
asy
way around the fact that editing a file installed by the package system will
render a checksum error if you manually change that. Also, every time you
update java, you need to re-add your additions.

Still, I'm open to suggestions. Greg's input would of course also be valuab=
le.
You are definitely not the only one with this problem!

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229329-8522-HQpghZtyU4>