[Openjdk] [Bug 1767890] Re: java can't connect to https sites

[Sam Uong]

*** This bug is a duplicate of bug 1739631 ***
    https://bugs.launchpad.net/bugs/1739631

** This bug is no longer a duplicate of bug 1743139
   java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty
** This bug has been marked a duplicate of bug 1739631
   Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1767890

Title:
  java can't connect to https sites

Status in ca-certificates-java package in Ubuntu:
  New

Bug description:
  After installing 18.04 and default-jdk, which provides java/javac
  1.10.1, Java applications are unable to connect to https sites. This
  can be reproduced with a simple Java program:

  sam@sam-desktop:~$ cat <<EOF >HttpsTester.java
  > import java.net.URL;
  > import javax.net.ssl.HttpsURLConnection;
  >
  > public class HttpsTester {
  >     public static void main(String[] args) {
  >         try {
  >             HttpsURLConnection connection = (HttpsURLConnection) new 
URL("https://www.ubuntu.com";).openConnection();
  >             System.out.println("Response code: " + 
connection.getResponseCode());
  >             System.out.println("It worked!");
  >         } catch (Exception e) {
  >             System.out.println(e.getMessage());
  >         }
  >     }
  > }
  > EOF
  sam@sam-desktop:~$ javac HttpsTester.java
  sam@sam-desktop:~$ java HttpsTester
  java.lang.RuntimeException: Unexpected error: 
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty

  This seems to be due to a misconfigured keystore in
  /etc/ssl/certs/java/cacerts. If I use the keystore which is bundled in
  Oracle's JRE, then the certificate check during connection succeeds:

  sam@sam-desktop:~$ tar -zxf jre-10.0.1_linux-x64_bin.tar.gz
  sam@sam-desktop:~$ java 
-Djavax.net.ssl.trustStore=jre-10.0.1/lib/security/cacerts HttpsTester
  Response code: 200

  I'm not sure if this is somehow related to 1406483, but I've tried
  recreating my keystore (using 'sudo update-ca-certificates -f' and
  'sudo apt-get install --reinstall ca-certificates-java') without
  success.

  My keystore is not empty, but contains a different set of keys to
  Oracle's one:

  sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts 
-storepass changeit | grep 'Your keystore contains'
  Warning: use -cacerts option to access cacerts keystore
  Your keystore contains 134 entries

  sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts 
-storepass changeit | grep 'Your keystore contains'
  Your keystore contains 104 entries

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1767890/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~openjdk
Post to     : openjdk@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openjdk
More help   : https://help.launchpad.net/ListHelp