[Bug 229329] java/openjdk8: allow user to trust extra local certificates

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jun 25 15:31:36 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229329

Palle Girgensohn <girgen at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |glewis at FreeBSD.org

--- Comment #4 from Palle Girgensohn <girgen at FreeBSD.org> ---
(In reply to Michael Osipov from comment #3)

I was not aware that the cacert list in java didn't come from openjdk. I see
now that is locally maintained in $FILESDIR/cacerts. This is probably since it
is copied into $PREFIX/openjdk8/jre/lib/security/ and we want the openjdk8
package to be consistently build for a certain version of the port.

Deriving the OpenJDK CA roots file from security/ca_root_nss is probably equal
yo getting it from https://packages.ubuntu.com/bionic/ca-certificates-java and
this is problaby what happens except it is done manually when the port is
updated. It would not help you with your problem, since it would still give you
the same problems with "mismatched checksums" warnings if you added your own
CA:s to it.

Now, with a local copy of the list, you could manage the suggested "local" list
"/home/girgen/cacerts" by copying the "big" cacert list from ubuntu *or*
ca_root_nss *or* OpenJDK:s built-in cacerts, and adding your own CA:s at the
end, just as you are doing now except using a different file. By using your own
file you would not get pkg nagging about checksums. Still this is a hassle in
that every java application needs this
`-Djavax.net.ssl.trustStore=/home/girgen/mycacerts` flag, but I still think
that is a general Java problem that should not be handled for one platform. 

You can of course choose to ignore the checksum warnings, but there is no easy
way around the fact that editing a file installed by the package system will
render a checksum error if you manually change that. Also, every time you
update java, you need to re-add your additions.

Still, I'm open to suggestions. Greg's input would of course also be valuable.
You are definitely not the only one with this problem!

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-java mailing list