Andrew John Hughes wrote:
On 18 March 2010 21:12, Christopher Hegarty -Sun Microsystems Ireland
<christopher.hega...@sun.com> wrote:
Andrew John Hughes wrote:
On 18 March 2010 20:56, Christopher Hegarty -Sun Microsystems Ireland
<christopher.hega...@sun.com> wrote:
Brad, Pavel, Andrew,
I'm also not comfortable with this test, but what bothers me more than
the
reliance on an external server is the reliance on cacerts. While cacerts
(or
equivalent) is not part of OpenJDK I don't think it makes sense adding a
test to OpenJDK that has a reliance on it.
For now I think is makes more sense to add a test like this to wherever
in
the build process cacerts (or equivalent) is added.
The problem is nothing does in the OpenJDK build process. So SSL is
always broken for OpenJDK builds. Is this something we really want?
This is certainly not ideal, but is a separate issue to the test, right? It
seems Sean or someone in the security team should comment on the possibility
of adding root CA's to OpenJDK, until then I don't see any requirement for a
test.
I don't have an answer right now - this will take some more investigation first.
My thoughts too. We have a solution for GNU/Linux where cacerts is
populated from the crt files found on the system (installed by Mozilla
and the like). I don't know what the equivalent would be for Windows
and Solaris though. A quick look on my OpenSolaris box didn't find
any crt files but I only looked in installed packages. I presume
firefox may bring some in if it's available.
On Windows you can use the "Windows-ROOT" KeyStore type, ex:
keytool -list -keystore NONE -storetype Windows-ROOT
I haven't tried it, but you could probably use the keytool -importkeystore
option to import all of these certs into the cacerts file.
On Solaris, you could use the /usr/java/jre/lib/security/cacerts file.
--Sean
