Bug 483483 - Can't open SSL connection
Can't open SSL connection
Product: Fedora EPEL
Classification: Fedora
Component: java-1.6.0-openjdk (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Lubomir Rintel
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-02-01 12:22 EST by Alex
Modified: 2009-02-04 01:51 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-02-04 01:51:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alex 2009-02-01 12:22:06 EST
Description of problem: Can't open SSL connection to server

Version-Release number of selected component (if applicable): 1.0.b12.el5.2

How reproducible: Every time

Steps to Reproduce:
1. Install java-1.6.0-openjdk package on CentOS 5.0
2. Run a Java program that tries to open an SSL connection, e.g. 'ec2-describe-images' tool provided with the Amazon EC2 Api Tools.
Actual results:

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:
the trustAnchors parameter must be non-empty

Expected results:

SSL connection sucessfully opened to server.

Additional info:

After a bit of Googling around, this problem could be due to the fact that for EPEL (unlike Fedora) the Open JDK packages do not seem to depend on the 'ca-certificates' package, which (on Fedora) contains the root CA certificates for java, '/etc/pki/java/cacerts'.
Comment 1 Lubomir Rintel 2009-02-04 01:51:03 EST
This won't be fixed, since Red Hat ships java-1.6.0-openjdk package in RHEL-5.3, obsoleting this package in EPEL. Unfortunatelly they did not agree with EPEL on NVR, so you have to manually override the packages in repository configuration.

If you can't use the RHEL-5.3 packages, can fix this by getting the cacerts file from a working installation (/etc/pki/java/cacerts from Fedora's ca-certificates package, or /usr/lib/jvm/java-1.6.0-openjdk- from RHEL 5.3 OpenJDK package, or equivalent from Sun JRE) and place it in /usr/lib/jvm/java-1.6.0-openjdk-

I can confirm this works with EC2 tools.

Note You need to log in before you can comment on or make changes to this bug.