Bug#501487: marked as done (openjdk-6-jre-headless: SSL/TLS network connections do not work without cacerts file)

Debian Bug Tracking System Sun, 26 Oct 2008 00:50:18 -0700

Your message dated Sun, 26 Oct 2008 08:42:46 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: SSL/TLS network connections do not work without cacerts 
file
has caused the Debian Bug report #501487,
regarding openjdk-6-jre-headless: SSL/TLS network connections do not work 
without cacerts file
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
501487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501487
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: openjdk-6-jre-headless
Version: 6b11-6
Severity: normal

The cacerts file in the jre/lib/security directory is necessary for
correct operation of SSL socket connections. This file exists in
java-gcj-compat-headless, but in openjdk-6-jre-headless it is a
symlink:

~$ dlocate cacerts
openswan: /etc/ipsec.d/cacerts
sun-java6-bin: /etc/java-6-sun/security/cacerts
libssl-dev: /usr/share/doc/libssl-dev/demos/easy_tls/cacerts.pem
java-gcj-compat-headless: 
/usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts
ca-certificates-java: /usr/share/ca-certificates-java/cacerts
openjdk-6-jre-headless: /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts

~$ ls -l /usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts
-rw-r--r-- 1 root root 92378 11 jul 20.55 
/usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts

~$ ls -l /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts
lrwxrwxrwx 1 root root 27  3 sep 21.24 
/usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts -> 
/etc/ssl/certs/java/cacerts

But /etc/ssl/certs/java/cacerts is only present if the
ca-certificates-java package is installed. Without it, secure network 
connections fail with an obscure exception:

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected 
error: java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1574)
        at 
sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1557)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1150)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1127)
        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:423)
        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:997)
        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at 
org.apache.cxf.resource.URIResolver.tryFileSystem(URIResolver.java:133)
        at org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:72)
        at 
org.apache.cxf.endpoint.dynamic.DynamicClientFactory.composeUrl(DynamicClientFactory.java:420)
        ... 56 more
Caused by: java.lang.RuntimeException: Unexpected error: 
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty
        at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:75)
        at sun.security.validator.Validator.getInstance(Validator.java:178)
        at 
sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:129)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:225)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:973)
        at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:142)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:533)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:471)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1116)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1143)
        ... 64 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty
        at 
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at 
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:73)


Installing ca-certificates-java fixes this, but that package is only
recommended by openjdk-6-jre-headless.

I think this is a bug and the JRE should be fixed to work without a
cacerts file.

If not, then a working cacerts file should be provided by this
package, or it might depend on ca-certificates-java.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-melech (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openjdk-6-jre-headless depends on:
ii  dpkg                   1.14.22           Debian package management system
ii  java-common            0.30              Base of all Java packages
ii  libaccess-bridge-java  1.23.0-2          Java Access Bridge for GNOME
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  libcups2               1.3.8-1lenny1     Common UNIX Printing System(tm) - 
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libgcc1                1:4.3.2-1         GCC support library
ii  liblcms1               1.17.dfsg-1       Color management library
ii  openjdk-6-jre-lib      6b11-6            OpenJDK Java runtime (architecture
ii  rhino                  1.7R1-2           JavaScript engine written in Java
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages openjdk-6-jre-headless recommends:
ii  ca-certificates-java          20080712   Common CA certificates (JKS keysto
ii  libnss-mdns                   0.10-3     NSS module for Multicast DNS name 
pn  tzdata-java                   <none>     (no description available)

Versions of packages openjdk-6-jre-headless suggests:
pn  sun-java6-fonts         <none>           (no description available)
ii  ttf-arphic-uming        0.2.20080216.1-1 "AR PL UMing" Chinese Unicode True
ii  ttf-baekmuk             2.2-2            Baekmuk series TrueType fonts
ii  ttf-dejavu-core         2.25-3           Vera font family derivate with add
ii  ttf-indic-fonts         1:0.5.4          Metapackage for free Indian langua
ii  ttf-kochi-gothic        1.0.20030809-4   Kochi Subst Gothic Japanese TrueTy
ii  ttf-kochi-mincho        1.0.20030809-4   Kochi Subst Mincho Japanese TrueTy

-- no debconf information

--- End Message ---

--- Begin Message ---
Version: 6b12-1~exp1
--- End Message ---

Bug#501487: marked as done (openjdk-6-jre-headless: SSL/TLS network connections do not work without cacerts file)

Reply via email to