On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. I don't understand how this can work at all. I wrote a custom `CertDownloader` for our company use where I wanted to migrate to PKCS#12. Suddenly all of my applications started to fail on OpenJDK8u until I have figured out that PKCS#12 was not designed to be passwordless and due to the missing ecryption the trusted CA aren't visible. This bug is known as: * https://bugs.openjdk.java.net/browse/JDK-8231107 * https://bugs.openjdk.java.net/browse/JDK-8194702 I had to revert to JKS for now. Unless those drizzle down to 8u, 11u, 17u this is going to be hard. I still would love to see a trust store (not key store) which either reads OpenSSL's [`CAfile` or `CApath`](https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html). This would greatly improve compat between Java and the OS default store on may OS, e.g., Debian, FreeBSD, RHEL, etc. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948
