Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 567504 - Use system trust store on Windows instead of cacerts #929

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bug 567504 - Use system trust store on Windows instead of cacerts #929

wants to merge 1 commit into from
+2 −0

Conversation

sratz
Copy link
Member

@sratz sratz commented Mar 3, 2023

Use the Windows operating system trust store instead of the cacerts bundled with the JVM.

https://bugs.eclipse.org/bugs/show_bug.cgi?id=567504

@sratz sratz requested review from merks and jonahgraham March 3, 2023 10:49
@merks
Copy link
Contributor

merks commented Mar 3, 2023

Do we generally expect that the Windows trust store will be more up-to-date? I.e., is there a possibility that a recently published Termurin-based JRE would have root certificates not in the Windows trust store?

@sratz
Copy link
Member Author

sratz commented Mar 3, 2023

Do we generally expect that the Windows trust store will be more up-to-date? I.e., is there a possibility that a recently published Termurin-based JRE would have root certificates not in the Windows trust store?

That's certainly a possibility but unlikely that this should cause any trouble. Microsoft regularly updates the trusted roots:
https://learn.microsoft.com/en-us/security/trusted-root/release-notes

I guess it comes down to what expectations of users we want to fulfill. The operating system trust store is the one users are used to (e.g. in browsers) and what they probably expect to be used in arbitrary 3rd party applications. It may also contains corporate specific certificates.

Our experience is that it is quite unintuitive that the EPP packages come with their own cacerts ('Why does it work in my browser but not in Eclipse?')

@merks
Copy link
Contributor

merks commented Mar 3, 2023

This issue of certificates used by a corporate firewall is quite a common problem and with an embedded JRE this is even harder for users to fix, especially for the installer where the whole thing is packaged as a *.exe...

@merks
Copy link
Contributor

merks commented Apr 16, 2023

@sratz

Note that I tried these options in the installer, but the result just hangs trying to access the internet. I have not had time to track down what might be causing that. Maybe the installer is special because it extracts itself into the temp folder. Using the options with a debug launch works fine...

@sratz
Copy link
Member Author

sratz commented May 3, 2023
edited

@sratz

Note that I tried these options in the installer, but the result just hangs trying to access the internet. I have not had time to track down what might be causing that. Maybe the installer is special because it extracts itself into the temp folder. Using the options with a debug launch works fine...

I went trough the JDK sources and apparently the correct properties to set actually are

-Djavax.net.ssl.trustStoreType=Windows-ROOT -Djavax.net.ssl.trustStore=NONE

instead of

-Djavax.net.ssl.trustStoreType=Windows-ROOT -Djavax.net.ssl.trustStore=NUL

Can you see if using NONE helps in the Installer?

@merks
Copy link
Contributor

merks commented May 7, 2023

Yes, the installer works with this in the product:

      <vmArgsWin>-Djavax.net.ssl.trustStoreType=Windows-ROOT
-Djavax.net.ssl.trustStore=NONE
      </vmArgsWin>

@akurtakov
Copy link
Member

Is there anything still planned here?

@merks
Copy link
Contributor

merks commented Aug 9, 2023

I've not changed this for the installer because I'm kind of scared to do that because this isn't something I can really test...

@akurtakov
Copy link
Member

So should this one be closed if nothing will be done?

@merks
Copy link
Contributor

merks commented Nov 28, 2023

I do get the feeling this is a correct and good thing. I’ve seen more than once this solves problems inside firewalls.

@BeckerWdf
Copy link
Contributor

@sratz: Should we merge this?

@sratz
Bug 567504 - Use system trust store on Windows instead of cacerts
583c1db 
Use the Windows operating system trust store instead of the cacerts
bundled with the JVM.

https://bugs.eclipse.org/bugs/show_bug.cgi?id=567504
@sratz
Copy link
Member Author

sratz commented Dec 4, 2023

@sratz: Should we merge this?

I updated the PR to use the correct NONE instead of NUL.

Technically this works, but

  • This is only the platform product. The impact would probably be bigger if that was done in the EPPs' INI files.
  • This only improves the situation on Windows.

@akurtakov
Copy link
Member

@niraj-modi Would you please review this one as it's Windows specific?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merks merks Awaiting requested review from merks

@jonahgraham jonahgraham Awaiting requested review from jonahgraham

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sratz @merks @akurtakov @BeckerWdf