Bug 483483 - Can't open SSL connection
Summary: Can't open SSL connection
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: java-1.6.0-openjdk
Version: el5
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-01 17:22 UTC by Alex
Modified: 2009-02-04 06:51 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-02-04 06:51:03 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Alex 2009-02-01 17:22:06 UTC
Description of problem: Can't open SSL connection to server


Version-Release number of selected component (if applicable): 1.0.b12.el5.2


How reproducible: Every time


Steps to Reproduce:
1. Install java-1.6.0-openjdk package on CentOS 5.0
2. Run a Java program that tries to open an SSL connection, e.g. 'ec2-describe-images' tool provided with the Amazon EC2 Api Tools.
  
Actual results:

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-empty

Expected results:

SSL connection sucessfully opened to server.

Additional info:

After a bit of Googling around, this problem could be due to the fact that for EPEL (unlike Fedora) the Open JDK packages do not seem to depend on the 'ca-certificates' package, which (on Fedora) contains the root CA certificates for java, '/etc/pki/java/cacerts'.

Comment 1 Lubomir Rintel 2009-02-04 06:51:03 UTC
This won't be fixed, since Red Hat ships java-1.6.0-openjdk package in RHEL-5.3, obsoleting this package in EPEL. Unfortunatelly they did not agree with EPEL on NVR, so you have to manually override the packages in repository configuration.

If you can't use the RHEL-5.3 packages, can fix this by getting the cacerts file from a working installation (/etc/pki/java/cacerts from Fedora's ca-certificates package, or /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/cacerts from RHEL 5.3 OpenJDK package, or equivalent from Sun JRE) and place it in /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/security/cacerts

I can confirm this works with EC2 tools.


Note You need to log in before you can comment on or make changes to this bug.