Bug 567504 - Use system trust store on Windows instead of cacerts #929
Conversation
|
Do we generally expect that the Windows trust store will be more up-to-date? I.e., is there a possibility that a recently published Termurin-based JRE would have root certificates not in the Windows trust store? |
That's certainly a possibility but unlikely that this should cause any trouble. Microsoft regularly updates the trusted roots: I guess it comes down to what expectations of users we want to fulfill. The operating system trust store is the one users are used to (e.g. in browsers) and what they probably expect to be used in arbitrary 3rd party applications. It may also contains corporate specific certificates. Our experience is that it is quite unintuitive that the EPP packages come with their own cacerts ('Why does it work in my browser but not in Eclipse?') |
|
This issue of certificates used by a corporate firewall is quite a common problem and with an embedded JRE this is even harder for users to fix, especially for the installer where the whole thing is packaged as a *.exe... |
|
Note that I tried these options in the installer, but the result just hangs trying to access the internet. I have not had time to track down what might be causing that. Maybe the installer is special because it extracts itself into the temp folder. Using the options with a debug launch works fine... |
I went trough the JDK sources and apparently the correct properties to set actually are instead of Can you see if using |
|
Yes, the installer works with this in the product: |
|
Is there anything still planned here? |
|
I've not changed this for the installer because I'm kind of scared to do that because this isn't something I can really test... |
|
So should this one be closed if nothing will be done? |
|
I do get the feeling this is a correct and good thing. I’ve seen more than once this solves problems inside firewalls. |
|
@sratz: Should we merge this? |
sratz
force-pushed
the
windows-truststore
branch
from
0e47035 to
583c1db
Compare
I updated the PR to use the correct Technically this works, but
|
|
@niraj-modi Would you please review this one as it's Windows specific? |
|
What is the status here? |
|
I've been experimenting with this today and hence I can definitely confirm that it really works. Previously I was able to access some sites only by adding the certificates to the Java installation's cacerts. But today updated some JDKs today then of course my workarounds stopped working. So this time I installed the certificates using crtmgr which helps make firefox happy and making the installer happy only after using these two options The installed IDE (Eclipse SDK) works well with these options too. There was mention of this also being easy to do on macos, I believe by using I think we should do the Windows this for EPP as well. And it would be great if someone knew if this worked well on macos too... |
merks
force-pushed
the
windows-truststore
branch
from
583c1db to
fba40a9
Compare
- -Djavax.net.ssl.trustStoreType=Windows-ROOT - -Djavax.net.ssl.trustStore=NONE eclipse-platform/eclipse.platform.releng.aggregator#929
- -Djavax.net.ssl.trustStoreType=Windows-ROOT - -Djavax.net.ssl.trustStore=NONE eclipse-platform/eclipse.platform.releng.aggregator#929
|
/request-license-review |
License review requests: After all reviews have concluded, re-run the license-vetting check from the Github Actions web-interface to update its status. Workflow run (with attached summary files): |
eclipse.platform.releng.tychoeclipsebuilder/eclipse.platform.repository/platform.product
Show resolved
Hide resolved
This looks promising! We will do some more extensive tests on macOS next week and update the PR. And I agree, this should go into all products (platform + EPP) in a coordinated manner. |
|
FYI, I spent an embarrassing amount of time tracking down why these options made the Tycho-built installers fail. It was simply because the module jdk.crypto.mscapi was not part of the minimal JustJ JRE which is now fixed: Because this module is specific to Windows, it's very well hidden in scheme of things, so I thought worth mentioning here. |
|
So the situation on macOS is more complicated. The correct system properties would be however this does NOT have the desired effect: macOS distinguishes between a 'System' keystore and a 'System Roots' keystore: The 'System' keystore contains those corporate certificates that we are interested in, but all the other commonly/publicly trusted CAs are in the 'System Roots' store. With the system properties above, we would only get access to the 'System' store and this would essentially break all existing standard scenarios, so is not an option. What we would need is a union of both keystores, which is currently not possible (neither is accessing the 'System Roots' nor is telling the JVM to use a union of multiple stores). |
|
The union is something that the JDK would need to support. It seems odd that it's so poorly support... In any case, do you plan to amend this PR to update sdk.product? M2 is rapidly approaching... |
Use the Windows operating system trust store instead of the cacerts bundled with the JVM. https://bugs.eclipse.org/bugs/show_bug.cgi?id=567504
sratz
force-pushed
the
windows-truststore
branch
from
fba40a9 to
8a2fa30
Compare
A union can be achieved in code via a custom We are using this already for our product-specific HTTPS calls, but as for setting this as the default system-wide SSLContext we could be too late in the game unless done at a very early stage after JVM startup. It would be better if the JVM provided more flexible configuration so this is not needed.
Done. |
|
/request-license-review |
License review requests: After all reviews have concluded, re-run the license-vetting check from the Github Actions web-interface to update its status. Workflow run (with attached summary files): |
|
Ignore the license thing. I'm so frustrated with that problem. 😱 eclipse-orbit/orbit-simrel#43 |
If there are still two ECF filetransfer providers included with Eclipse (apache httpclient 5 and java jre httpclient), and the fact that this issue remains unaddresssed as per Currently, these two providers handle SSLContext creation/init usage differently and so will respond differently to any additional/earlier customization of SSLContext (e.g. calling SSLContext.init in some other place in Eclipse).
Right. With all previous filetransfer providers SSLContext customization has been done for Eclipse install/update in the org.eclipse.ecf.ssl fragment. The java jre httpclient currently does not. |
|
My attempts to add some PKI into eclipse-platform did not seem to be well received. I was directed to try to utilize marketplace for a launching platform for PKI. I did just that. However, in my travels I have found a lot of different implementations of SSLContext throughout the eclipse package. Most of these implementations trounce on any SSLContext.getDefault() that may have been set up to a certain specification, i.e, SSLContext,init(keyMgr, trustMgr, securerandom) with valid parameters. |
|
I assume this PR is ready to merge. I believe this comment is @jonahgraham's approval: |
- -Djavax.net.ssl.trustStoreType=Windows-ROOT - -Djavax.net.ssl.trustStore=NONE eclipse-platform/eclipse.platform.releng.aggregator#929
Use the Windows operating system trust store instead of the cacerts bundled with the JVM.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567504