[Bug 781690] New: OpenJDK 1.7 SSL don't work / NoSuchAlgorithmException: SunJSSE
https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c0 Summary: OpenJDK 1.7 SSL don't work / NoSuchAlgorithmException: SunJSSE Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: x86-64 OS/Version: openSUSE 12.1 Status: NEW Severity: Major Priority: P5 - None Component: Java AssignedTo: bnc-team-java@forge.provo.novell.com ReportedBy: dev@lachner-net.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0 It seems SSL don't work in OpenJDK 1.7. For example if I try to load updates in Eclise from a https repository I got the following error: Unable to read repository at https://dl-ssl.google.com/android/eclipse/site.xml. java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext) I got similar errors in other software too. For example I can't log in in Minecraft and the SunJSSE error is shown. Reproducible: Always Steps to Reproduce: 1.Try to use a https repository in eclipse -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c1
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c2
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c3
Bernd Lachner
Are you able to call it with -Djavax.net.debug=ssl,keymanager?
I started minecraft with this option which also have this problem. The output is: asdf keyStore is : keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 trustStore is: /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts trustStore type is : jks trustStore provider is : init truststore default context init failed: java.io.IOException: Invalid keystore format java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext) .... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c4
--- Comment #4 from Bernd Lachner
Anyway, the problem is probably related to the badly created keystore file
In openSUSE we install the keystore into /var/lib/ca-certificates and link to it. So please check if the link points to correct place
$ readlink /usr/lib64/jvm/java-1.7.0-openjdk/jre/lib/security/cacerts /var/lib/ca-certificates/java-cacerts $ file /var/lib/ca-certificates/java-cacerts /var/lib/ca-certificates/java-cacerts: Java KeyStore
If you've no link, please create it using
# ln -s /var/lib/ca-certificates/java-cacerts \ /usr/lib64/jvm/java-1.7.0-openjdk/jre/lib/security/cacerts
If the java-cacerts does not exists, please run
# /usr/sbin/update-ca-certificates
and then fix the link
I checked this. The link is in place. But file /var/lib/ca-certificates/java-cacerts give the output: /var/lib/ca-certificates/java-cacerts: data Filetype is "data" and not as in your example "Java KeyStore". Does this mean the keystore is wrong? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c5
--- Comment #5 from Bernd Lachner
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c6
Bernd Lachner
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c7
Michal Vyskocil
I checked this. The link is in place.
But file /var/lib/ca-certificates/java-cacerts give the output: /var/lib/ca-certificates/java-cacerts: data
That's something openjdk did not ever tested in %posttrans. So I've changed it to use file --mime-type -b to test the correctness of both files. IOW if the tested file does not contain an expected application/x-java-keystore, neither link to it, it's regenerated/relinked. Sent to Factory by 137449, the rest of distributions will be fixed on a next maintenance update. Changed to FIXED. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c8
--- Comment #8 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c9
Martin Jakl
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c10
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c11
Martin Jakl
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c12
Michal Vyskocil
I'm using bash.
I had to remove java-cacerts first, because I had the oracle version, so script did nothing. Here is the result:
This is intended, package does not remove the user supplied cacerts file. However the problem is not the script itself, but the fact /var/lib/ca-certificates/java-cacerts is 'application/octet-stream', so invalid keystore has been created. I suspect your JAVA_HOME points to different JVM than openjdk7, because of all failures during import, which should not happen with openjdk7. Please try the following JAVA_HOME=/usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/ /usr/sbin/update-ca-certificates and then check the type of java-cacerts /usr/bin/file --mime-type -b /var/lib/ca-certificates/java-cacerts -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c13
Martin Jakl
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c14
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c15
--- Comment #15 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c16
--- Comment #16 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c17
Luiz Angelo Daros de Luca
https://bugzilla.novell.com/show_bug.cgi?id=781690
https://bugzilla.novell.com/show_bug.cgi?id=781690#c18
--- Comment #18 from Michal Vyskocil
The simple installation of java-1_7_0-openjdk-1.7.0.6-8.18.1 does not solve the problem for an existing 12.3 system. I needed to manually recreate the file.
Hi, the code does not touch the cacerts in a case it is a java keystore, because we do not want to touch user's supplied cacerts files by default.
BTW, it seems that java 1.5.0 can read while 1.7.0 cannot. After recreating, it is the opposite.
This is because you've had gcc-java in JAVA_HOME, so it have happened the /var/lib/ca-certificates/java-cacerts have had gcc own incompatible keystore format. The /var/lib/ca-certificates/java-cacerts should contain openjdk compatible format, where /var/lib/ca-certificates/gcj-cacerts is file readable by gcc-java and created by /usr/bin/gij executable. See /usr/lib/ca-certificates/update.d/java.run for details BTW: unfortunately there is no easy way how to detect file with a proper mime type, but wrong format as keytool is in -devel (SDK) package only. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=781690
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com