Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates-java (Debian) |
Fix Released
|
Unknown
|
|||
ca-certificates-java (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Tiago Stürmer Daitx |
Bug Description
[Impact]
Any user doing a new install can be affected as soon as they install any openjdk-11 package.
[Cause]
The ca-certificate-java version 20170930 (or earlier) used OpenJDK's default keystore to create /etc/ssl/
From openjdk-9 upwards the default keystore type changed from 'jks' to 'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without supplying a password (or by supplying an empty one) while a PKCS12 keystore requires a password to be set.
Thus a /etc/ssl/
Ubuntu does *not* set the javax.net.
thus any user that got a cacerts generated in JKCS12 won't be able
to use any secure connections from java.
[Test Case - Fix not applied]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a PKCS12
$ keytool -list -cacerts
Enter keystore password: <leave empty>
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
3. Test with the "changeit" password
$ keytool -list -cacerts
Enter keystore password: changeit
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnec
System.
System.
}
}
EOF
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/
7. Call it again, this time set the store password
$ /usr/lib/
-Djavax.
Response code: 200
It worked!
[Test Case - Fix applied]
Start on a new bionic install/chroot without openjdk
1. Install openjdk-11
$ sudo apt-get install openjdk-11-jdk
2. Test the keystore with an empty password (optional) and make sure it is a JKS
$ keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
3. Test with the "changeit" password
keytool -list -cacerts
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 133 entries
<snipped various certs>
4. Create the java test file
$ cat <<EOF >HttpsTester.java
import java.net.URL;
import javax.net.
public class HttpsTester {
public static void main(String[] args) throws java.io.IOException {
HttpsURLConnection connection = (HttpsURLConnec
System.
System.
}
}
EOF
5. Compile it
$ javac HttpsTester.java
6. Call it
$ /usr/lib/
Response code: 200
It worked!
7. Call it again, this time set the store password
$ /usr/lib/
-Djavax.
Response code: 200
It worked!
[Regression Potential]
* Forcing ca-certificates
[References]
[1] The default keystore is defined by the keystore.type in the
/etc/java-
http://
[2] JEP 229: Create PKCS12 Keystores by Default
http://
[Original bug description]
I ran into a problem after doing approximately the following on an install of Ubuntu 17.10:
sudo apt-get install openjdk-9-jdk maven ca-certificates
Running "mvn package" on my own project threw this error without downloading anything:
java.security.
It seems that all TLS connections fail due to missing trust anchors in Java 9!
After some investigation, I discovered that the JDK's lib/security/
To workaround the issue, I downgraded to openjdk-8-jdk, did rm /etc/ssl/
The problem can be reintroduced by having java 9 installed and doing rm /etc/ssl/
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: ca-certificates
ProcVersionSign
Uname: Linux 4.13.0-21-generic x86_64
ApportVersion: 2.20.8-0ubuntu5
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Thu Dec 21 17:36:05 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-12-21 (0 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018)
PackageArchitec
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=fi_FI.UTF-8
SHELL=/bin/bash
SourcePackage: ca-certificates
UpgradeStatus: Upgraded to bionic on 2017-12-21 (0 days ago)
modified.
Changed in ca-certificates-java (Debian): | |
status: | Unknown → New |
Changed in ca-certificates-java (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in ca-certificates-java (Ubuntu): | |
importance: | Undecided → High |
Changed in ca-certificates-java (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in ca-certificates-java (Debian): | |
status: | New → Fix Released |
Changed in ca-certificates-java (Ubuntu Bionic): | |
milestone: | none → ubuntu-18.04.1 |
Changed in ca-certificates-java (Ubuntu Bionic): | |
assignee: | nobody → Tiago Stürmer Daitx (tdaitx) |
Changed in ca-certificates-java (Ubuntu Bionic): | |
status: | Triaged → Confirmed |
description: | updated |
description: | updated |
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
tags: |
added: verification-done removed: verification-needed |
Status changed to 'Confirmed' because the bug affects multiple users.