Debian Bug report logs - #501487
openjdk-6-jre-headless: SSL/TLS network connections do not work without cacerts file

version graph

Package: openjdk-6-jre-headless; Maintainer for openjdk-6-jre-headless is OpenJDK Team <openjdk@lists.launchpad.net>; Source for openjdk-6-jre-headless is src:openjdk-6.

Reported by: Marcus Better <marcus@better.se>

Date: Tue, 7 Oct 2008 18:51:01 UTC

Severity: normal

Merged with 501643

Found in version openjdk-6/6b11-6

Fixed in version 6b12-1~exp1

Done: Matthias Klose <doko@cs.tu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Marcus Better <marcus@better.se>, OpenJDK Team <openjdk@lists.launchpad.net>:
Bug#501487; Package openjdk-6-jre-headless. (Tue, 07 Oct 2008 18:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marcus Better <marcus@better.se>:
New Bug report received and forwarded. Copy sent to Marcus Better <marcus@better.se>, OpenJDK Team <openjdk@lists.launchpad.net>. (Tue, 07 Oct 2008 18:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marcus Better <marcus@better.se>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openjdk-6-jre-headless: SSL/TLS network connections do not work without cacerts file
Date: Tue, 7 Oct 2008 20:48:00 +0200 (CEST)
Package: openjdk-6-jre-headless
Version: 6b11-6
Severity: normal

The cacerts file in the jre/lib/security directory is necessary for
correct operation of SSL socket connections. This file exists in
java-gcj-compat-headless, but in openjdk-6-jre-headless it is a
symlink:

~$ dlocate cacerts
openswan: /etc/ipsec.d/cacerts
sun-java6-bin: /etc/java-6-sun/security/cacerts
libssl-dev: /usr/share/doc/libssl-dev/demos/easy_tls/cacerts.pem
java-gcj-compat-headless: /usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts
ca-certificates-java: /usr/share/ca-certificates-java/cacerts
openjdk-6-jre-headless: /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts

~$ ls -l /usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts
-rw-r--r-- 1 root root 92378 11 jul 20.55 /usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts

~$ ls -l /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts
lrwxrwxrwx 1 root root 27  3 sep 21.24 /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts

But /etc/ssl/certs/java/cacerts is only present if the
ca-certificates-java package is installed. Without it, secure network connections fail with an obscure exception:

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1574)
        at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1557)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1150)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1127)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:423)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:997)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at org.apache.cxf.resource.URIResolver.tryFileSystem(URIResolver.java:133)
        at org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:72)
        at org.apache.cxf.endpoint.dynamic.DynamicClientFactory.composeUrl(DynamicClientFactory.java:420)
        ... 56 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:75)
        at sun.security.validator.Validator.getInstance(Validator.java:178)
        at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:129)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:225)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:973)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:142)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:533)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:471)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1116)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1143)
        ... 64 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:73)


Installing ca-certificates-java fixes this, but that package is only
recommended by openjdk-6-jre-headless.

I think this is a bug and the JRE should be fixed to work without a
cacerts file.

If not, then a working cacerts file should be provided by this
package, or it might depend on ca-certificates-java.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-melech (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openjdk-6-jre-headless depends on:
ii  dpkg                   1.14.22           Debian package management system
ii  java-common            0.30              Base of all Java packages
ii  libaccess-bridge-java  1.23.0-2          Java Access Bridge for GNOME
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  libcups2               1.3.8-1lenny1     Common UNIX Printing System(tm) - 
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libgcc1                1:4.3.2-1         GCC support library
ii  liblcms1               1.17.dfsg-1       Color management library
ii  openjdk-6-jre-lib      6b11-6            OpenJDK Java runtime (architecture
ii  rhino                  1.7R1-2           JavaScript engine written in Java
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages openjdk-6-jre-headless recommends:
ii  ca-certificates-java          20080712   Common CA certificates (JKS keysto
ii  libnss-mdns                   0.10-3     NSS module for Multicast DNS name 
pn  tzdata-java                   <none>     (no description available)

Versions of packages openjdk-6-jre-headless suggests:
pn  sun-java6-fonts         <none>           (no description available)
ii  ttf-arphic-uming        0.2.20080216.1-1 "AR PL UMing" Chinese Unicode True
ii  ttf-baekmuk             2.2-2            Baekmuk series TrueType fonts
ii  ttf-dejavu-core         2.25-3           Vera font family derivate with add
ii  ttf-indic-fonts         1:0.5.4          Metapackage for free Indian langua
ii  ttf-kochi-gothic        1.0.20030809-4   Kochi Subst Gothic Japanese TrueTy
ii  ttf-kochi-mincho        1.0.20030809-4   Kochi Subst Mincho Japanese TrueTy

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, OpenJDK Team <openjdk@lists.launchpad.net>:
Bug#501487; Package openjdk-6-jre-headless. (Sun, 12 Oct 2008 10:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to OpenJDK Team <openjdk@lists.launchpad.net>. (Sun, 12 Oct 2008 10:27:08 GMT) Full text and rfc822 format available.

Message #10 received at 501487@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@ubuntu.com>
To: 501487@bugs.debian.org, 501487-submitter@bugs.debian.org
Subject: Re: SSL/TLS network connections do not work without cacerts file
Date: Sun, 12 Oct 2008 12:25:02 +0200
yes, it should depend on it. please help fixing the outstanding reports in
http://bugs.debian.org/src:ca-certificates-java




Message sent on to Marcus Better <marcus@better.se>:
Bug#501487. (Sun, 12 Oct 2008 10:27:15 GMT) Full text and rfc822 format available.

Merged 501487 501643. Request was from Matthias Klose <doko@cs.tu-berlin.de> to control@bugs.debian.org. (Sun, 12 Oct 2008 10:42:10 GMT) Full text and rfc822 format available.

Reply sent to Matthias Klose <doko@cs.tu-berlin.de>:
You have taken responsibility. (Sun, 26 Oct 2008 07:45:04 GMT) Full text and rfc822 format available.

Notification sent to Marcus Better <marcus@better.se>:
Bug acknowledged by developer. (Sun, 26 Oct 2008 07:45:04 GMT) Full text and rfc822 format available.

Message #20 received at 501487-done@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: 501487-done@bugs.debian.org
Subject: Re: SSL/TLS network connections do not work without cacerts file
Date: Sun, 26 Oct 2008 08:42:46 +0100
Version: 6b12-1~exp1




Reply sent to Matthias Klose <doko@cs.tu-berlin.de>:
You have taken responsibility. (Sun, 26 Oct 2008 07:45:05 GMT) Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. (Sun, 26 Oct 2008 07:45:05 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Apr 2009 07:30:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:30:53 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.