Bug 483483

Summary: Can't open SSL connection
Product: [Fedora] Fedora EPEL Reporter: Alex <abcoyle>
Component: java-1.6.0-openjdkAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: el5CC: lkundrak
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-04 06:51:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex 2009-02-01 17:22:06 UTC 
Description of problem: Can't open SSL connection to server


Version-Release number of selected component (if applicable): 1.0.b12.el5.2


How reproducible: Every time


Steps to Reproduce:
1. Install java-1.6.0-openjdk package on CentOS 5.0
2. Run a Java program that tries to open an SSL connection, e.g. 'ec2-describe-images' tool provided with the Amazon EC2 Api Tools.
  
Actual results:

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-empty

Expected results:

SSL connection sucessfully opened to server.

Additional info:

After a bit of Googling around, this problem could be due to the fact that for EPEL (unlike Fedora) the Open JDK packages do not seem to depend on the 'ca-certificates' package, which (on Fedora) contains the root CA certificates for java, '/etc/pki/java/cacerts'.
Comment 1 Lubomir Rintel 2009-02-04 06:51:03 UTC 
This won't be fixed, since Red Hat ships java-1.6.0-openjdk package in RHEL-5.3, obsoleting this package in EPEL. Unfortunatelly they did not agree with EPEL on NVR, so you have to manually override the packages in repository configuration.

If you can't use the RHEL-5.3 packages, can fix this by getting the cacerts file from a working installation (/etc/pki/java/cacerts from Fedora's ca-certificates package, or /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/cacerts from RHEL 5.3 OpenJDK package, or equivalent from Sun JRE) and place it in /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/cacerts

I can confirm this works with EC2 tools.