https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c1 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |mvyskocil@suse.com InfoProvider| |dev@lachner-net.de --- Comment #1 from Michal Vyskocil 2012-09-26 10:16:40 UTC --- Are you able to call it with -Djavax.net.debug=ssl,keymanager? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c3 Bernd Lachner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|dev@lachner-net.de | --- Comment #3 from Bernd Lachner 2012-10-05 17:15:10 UTC --- (In reply to comment #1)

Are you able to call it with -Djavax.net.debug=ssl,keymanager?

I started minecraft with this option which also have this problem. The output is: asdf keyStore is : keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 trustStore is: /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts trustStore type is : jks trustStore provider is : init truststore default context init failed: java.io.IOException: Invalid keystore format java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext) .... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c5 --- Comment #5 from Bernd Lachner 2012-10-05 18:38:16 UTC --- OK I deleted /var/lib/ca-certificates/java-cacerts and run "/usr/sbin/update-ca-certificates". After this it seems it works. Maybe it is a problem with update from older openSUSE version? I updated from openSUSE 12.1 with zypper dup, and this problem occurs on two systems. For me the problem is solved. Thank you for your help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c7 Michal Vyskocil changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Resolution|WORKSFORME |FIXED --- Comment #7 from Michal Vyskocil 2012-10-08 08:32:35 UTC ---

I checked this. The link is in place.

But file /var/lib/ca-certificates/java-cacerts give the output: /var/lib/ca-certificates/java-cacerts: data

That's something openjdk did not ever tested in %posttrans. So I've changed it to use file --mime-type -b to test the correctness of both files. IOW if the tested file does not contain an expected application/x-java-keystore, neither link to it, it's regenerated/relinked. Sent to Factory by 137449, the rest of distributions will be fixed on a next maintenance update. Changed to FIXED. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c9 Martin Jakl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |martin.jakl@qbicon.cz Component|Java |Java Resolution|FIXED | Product|openSUSE 12.2 |openSUSE 12.3 Target Milestone|--- |Final --- Comment #9 from Martin Jakl 2013-06-01 09:47:36 UTC --- I have the same problem in openSUSE 12.3 and described solution doesn't work. Newly created java-cacerts file is still type data and not Java Keystore. I had to use cacerts from Oracle java to make it work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c11 Martin Jakl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|martin.jakl@qbicon.cz | --- Comment #11 from Martin Jakl 2013-06-03 11:48:10 UTC --- I'm using bash. I had to remove java-cacerts first, because I had the oracle version, so script did nothing. Here is the result: 1st run ++ /usr/bin/file --mime-type -b /var/lib/ca-certificates/java-cacerts + '[' 'ERROR: cannot open `/var/lib/ca-certificates/java-cacerts'\'' (No such file or directory)' '!=' 'xapplication/x-java-keystore;' ']' + /usr/sbin/update-ca-certificates creating /var/lib/ca-certificates/java-cacerts ... imporing thawte_Primary_Root_CA_G2.pem failed: java.security.spec.InvalidKeySpecException imporing AffirmTrust_Premium_ECC.pem failed: java.security.spec.InvalidKeySpecException imporing GeoTrust_Primary_Certification_Authority_G2.pem failed: java.security.spec.InvalidKeySpecException imporing COMODO_ECC_Certification_Authority.pem failed: java.security.spec.InvalidKeySpecException imporing VeriSign_Class_3_Public_Primary_Certification_Authority_G4.pem failed: java.security.spec.InvalidKeySpecException 139 added, 0 removed. creating /var/lib/ca-certificates/gcj-cacerts ... imporing thawte_Primary_Root_CA_G2.pem failed: java.security.spec.InvalidKeySpecException imporing AffirmTrust_Premium_ECC.pem failed: java.security.spec.InvalidKeySpecException imporing GeoTrust_Primary_Certification_Authority_G2.pem failed: java.security.spec.InvalidKeySpecException imporing COMODO_ECC_Certification_Authority.pem failed: java.security.spec.InvalidKeySpecException imporing VeriSign_Class_3_Public_Primary_Certification_Authority_G4.pem failed: java.security.spec.InvalidKeySpecException 2 added, 0 removed. ++ stat -c %s /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts + '[' 037 = 032 ']' ++ /usr/bin/file --mime-type -b -L /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts + '[' application/octet-stream '!=' 'xapplication/x-java-keystore;' ']' + rm -f /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts + ln -s /var/lib/ca-certificates/java-cacerts /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts 2nd run ++ /usr/bin/file --mime-type -b /var/lib/ca-certificates/java-cacerts + '[' application/octet-stream '!=' 'xapplication/x-java-keystore;' ']' + /usr/sbin/update-ca-certificates ++ stat -c %s /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts + '[' 037 = 032 ']' ++ /usr/bin/file --mime-type -b -L /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts + '[' application/octet-stream '!=' 'xapplication/x-java-keystore;' ']' + rm -f /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts + ln -s /var/lib/ca-certificates/java-cacerts /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/cacerts after that java-cacerts is type data -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c13 Martin Jakl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|martin.jakl@qbicon.cz | --- Comment #13 from Martin Jakl 2013-06-04 12:03:36 UTC --- So I found out that I had gcj installed and it set JAVA_HOME to itself, after deinstallation everything works. Sorry for that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c15 --- Comment #15 from Bernhard Wiedemann 2013-06-05 05:00:09 CEST --- This is an autogenerated message for OBS integration: This bug (781690) was mentioned in https://build.opensuse.org/request/show/177676 Factory / java-1_7_0-openjdk -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c16 --- Comment #16 from Swamp Workflow Management 2013-08-01 13:04:26 UTC --- openSUSE-SU-2013:1288-1: An update that fixes 30 vulnerabilities is now available. Category: security (moderate) Bug References: 781690,828665 CVE References: CVE-2013-1500,CVE-2013-1571,CVE-2013-2407,CVE-2013-2412,CVE-2013-2443,CVE-2013-2444,CVE-2013-2445,CVE-2013-2446,CVE-2013-2447,CVE-2013-2448,CVE-2013-2449,CVE-2013-2450,CVE-2013-2451,CVE-2013-2452,CVE-2013-2453,CVE-2013-2454,CVE-2013-2455,CVE-2013-2456,CVE-2013-2457,CVE-2013-2458,CVE-2013-2459,CVE-2013-2460,CVE-2013-2461,CVE-2013-2463,CVE-2013-2465,CVE-2013-2469,CVE-2013-2470,CVE-2013-2471,CVE-2013-2472,CVE-2013-2473 Sources used: openSUSE 12.3 (src): java-1_7_0-openjdk-1.7.0.6-8.18.1 openSUSE 12.2 (src): java-1_7_0-openjdk-1.7.0.6-3.41.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=781690 https://bugzilla.novell.com/show_bug.cgi?id=781690#c18 --- Comment #18 from Michal Vyskocil 2013-08-07 12:18:05 UTC --- (In reply to comment #17)

The simple installation of java-1_7_0-openjdk-1.7.0.6-8.18.1 does not solve the problem for an existing 12.3 system. I needed to manually recreate the file.

Hi, the code does not touch the cacerts in a case it is a java keystore, because we do not want to touch user's supplied cacerts files by default.

BTW, it seems that java 1.5.0 can read while 1.7.0 cannot. After recreating, it is the opposite.

This is because you've had gcc-java in JAVA_HOME, so it have happened the /var/lib/ca-certificates/java-cacerts have had gcc own incompatible keystore format. The /var/lib/ca-certificates/java-cacerts should contain openjdk compatible format, where /var/lib/ca-certificates/gcj-cacerts is file readable by gcc-java and created by /usr/bin/gij executable. See /usr/lib/ca-certificates/update.d/java.run for details BTW: unfortunately there is no easy way how to detect file with a proper mime type, but wrong format as keytool is in -devel (SDK) package only. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.