On 18 March 2010 21:12, Christopher Hegarty -Sun Microsystems Ireland <christopher.hega...@sun.com> wrote: > Andrew John Hughes wrote: >> >> On 18 March 2010 20:56, Christopher Hegarty -Sun Microsystems Ireland >> <christopher.hega...@sun.com> wrote: >>> >>> Brad, Pavel, Andrew, >>> >>> I'm also not comfortable with this test, but what bothers me more than >>> the >>> reliance on an external server is the reliance on cacerts. While cacerts >>> (or >>> equivalent) is not part of OpenJDK I don't think it makes sense adding a >>> test to OpenJDK that has a reliance on it. >>> >>> For now I think is makes more sense to add a test like this to wherever >>> in >>> the build process cacerts (or equivalent) is added. >>> >> >> The problem is nothing does in the OpenJDK build process. So SSL is >> always broken for OpenJDK builds. Is this something we really want? > > This is certainly not ideal, but is a separate issue to the test, right? It > seems Sean or someone in the security team should comment on the possibility > of adding root CA's to OpenJDK, until then I don't see any requirement for a > test. >
My thoughts too. We have a solution for GNU/Linux where cacerts is populated from the crt files found on the system (installed by Mozilla and the like). I don't know what the equivalent would be for Windows and Solaris though. A quick look on my OpenSolaris box didn't find any crt files but I only looked in installed packages. I presume firefox may bring some in if it's available. > -Chris. > >> >>> -Chris >>> >>> Andrew John Hughes wrote: >>>> >>>> On 18 March 2010 18:40, Brad Wetmore <bradford.wetm...@sun.com> wrote: >>>>> >>>>> I have a couple important tasks to finish ASAP, so if there is more >>>>> discussion, I'll have to jump in sometime next week, but wanted to add >>>>> one thing before anything was done: >>>>> >>>>> Pavel wrote: >>>>>> >>>>>> And we can use other URL if verisign.com is problematic. >>>>> >>>>> We've tried to limit the reliance on servers outside our control for >>>>> the >>>>> open tests and to be as self-contained as possible, tho I'm sure there >>>>> are still some tests that do this anyway. IMHO, it's not exactly >>>>> neighborly of OpenJDK to include tests that just bang on someone's >>>>> server(s) for "testing", even if the volume isn't terribly high. I >>>>> think we should check with the server's admin before we included such a >>>>> test in the general repository. >>>>> >>>>> In the past we've also had transient network errors (servers or network >>>>> down), so that was another reason to limit our external dependencies. >>>>> But they still had to be investigated and took time. >>>>> >>>> https://jaxp.dev.java.net/files/documents/913/147490 seems an >>>> appropriate URL to hit. It's the very URL that causes the OpenJDK >>>> build to fail to bootstrap itself and I assume Oracle do control >>>> dev.java.net to some degree. >>>> >>>>> Brad >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 3/18/2010 8:50 AM, Pavel Tisnovsky wrote: >>>>>> >>>>>> Christopher Hegarty -Sun Microsystems Ireland wrote: >>>>>>> >>>>>>> Alan Bateman wrote: >>>>>>>> >>>>>>>> Pavel Tisnovsky wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> please review new regression test for java.net.* API. This test >>>>>>>>> check if the cacerts keytool database is configured properly and >>>>>>>>> SSL >>>>>>>>> is really working. The test should not fail if SSL is working (in >>>>>>>>> other case it simply throws IOException). Webrev si available at >>>>>>>>> http://cr.openjdk.java.net/~ptisnovs/TestHttps/ >>>>>>>>> >>>>>>>>> Thanks in advance >>>>>>>>> Pavel Tisnovsky >>>>>>>> >>>>>>>> I suspect the dependency on verisign.com will be problematic. Isn't >>>>>>>> SSL already covered by the javax.net and https tests? >>>>>>> >>>>>>> I'm not sure what the prime motivation of the test is. Pavel, can you >>>>>>> please elaborate? >>>>>>> >>>>>>> Reading between the lines I guess the test is verifying that the >>>>>>> correct root Certification Authority is installed in cacerts, i.e. >>>>>>> the cert from www.verisign.com can be validated. >>>>>> >>>>>> Hi Chris, you guessed correctly :-) And we can use other URL if >>>>>> verisign.com is problematic. >>>>>> >>>>>>> Alan is correct there are already tests for SSL/Https in javax.net, >>>>>>> but I believe these use self signed certs, no dependency on cacerts. >>>>>>> >>>>>>> -Chris. >>>>>>> >>>>>>>> -Alan. >>>> >>>> >> >> >> > -- Andrew :-) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and the OpenJDK http://www.gnu.org/software/classpath http://openjdk.java.net PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
