search

kimjinhyung / openjdk-osx-build

Automatically exported from code.google.com/p/openjdk-osx-build
0 stars 0 forks source link

cacerts missing / HTTPs not working #13

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Doing HTTPs like:

new URL("https://www.google.com/").openStream();

causes this exception on OpenJDK 1.7:

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
    at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88)
    ... 107 more

The 
/Library/Java/JavaVirtualMachines/1.7.0.jdk/Contents/Home/jre/lib/security/cacer
ts was very small (32byte), so I copyied the file from the 1.6 Apple JDK:

cp 
/System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacert
s /Library/Java/JavaVirtualMachines/1.7.0.jdk/Contents/Home/jre/lib/security

This fixed the issue.

I found this note on http://openjdk.java.net/groups/security/ :

"The cacerts file shipped with OpenJDK is initially empty. The OpenJDK 
governing body will be defining a process by which certificates can be added to 
the OpenJDK cacerts file."

Not sure if this is the reason for this problem; but if the situation really is 
that OpenJDK doesn't ship with cacerts, maybe   openjdk-osx-builds installer 
could work around this issue by getting it from JDK 1.6. Or by adding a 
note/FAQ about it.

Original issue reported on code.google.com by ralf.ebert on 1 May 2011 at 4:31

GoogleCodeExporter commented 8 years ago 
The recommended solution is to create a symbolic link to the cacerts instead of 
copying the files:

cd /Library/Java/JavaVirtualMachines/1.7.0.jdk/Contents/Home/jre/lib/security
ln -s 
/System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacert
s cacerts

You might need to run this command using sudo (eg. sudo ln -s ....)

Original comment by rola...@gmail.com on 15 May 2011 at 10:22

GoogleCodeExporter commented 8 years ago 
Closing it since now reported on macosx-port JIRA 
(http://java.net/jira/browse/MACOSX_PORT-399)

Original comment by henri.gomez on 4 Oct 2011 at 9:18