Details
-
Sub-task
-
Resolution: Delivered
-
P2
-
9
-
Verified
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8189397 | 9 | Clifford Wayne | P2 | Closed | Delivered |
Description
The OpenJDK 9 binary for Linux x64 contains an empty `cacerts` keystore. This prevents TLS connections from being established because there are no Trusted Root Certificate Authorities installed. You may see an exception like the following:
`javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty`
As a workaround, users can set the `javax.net.ssl.trustStore` System Property to use a different keystore. For example, the `ca-certificates` package on Oracle Linux 7 contains the set of Root CA certificates chosen by the Mozilla Foundation for use with the Internet PKI. This package installs a trust store at `/etc/pki/java/cacerts`, which can be used by OpenJDK 9.
Only the OpenJDK 64 bit Linux download is impacted. This issue does not apply to any Oracle JRE/JDK download.
Progress on open-sourcing the Oracle JDK Root CAs can be tracked through the issueJDK-8189131.
`javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty`
As a workaround, users can set the `javax.net.ssl.trustStore` System Property to use a different keystore. For example, the `ca-certificates` package on Oracle Linux 7 contains the set of Root CA certificates chosen by the Mozilla Foundation for use with the Internet PKI. This package installs a trust store at `/etc/pki/java/cacerts`, which can be used by OpenJDK 9.
Only the OpenJDK 64 bit Linux download is impacted. This issue does not apply to any Oracle JRE/JDK download.
Progress on open-sourcing the Oracle JDK Root CAs can be tracked through the issue
Attachments
Issue Links
- backported by
-
-
- Closed
-