Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7114555

Including the StartCom CA into the TrustStore

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: P4
    • Resolution: Duplicate
    • Affects Version/s: 7
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      A DESCRIPTION OF THE REQUEST :
      Please add the StartCom CA into the Java Trust Store.

      The website of the CA: http://www.startssl.com/

      The root certificate can be found here: http://www.startssl.com/certs/ca.cer

      JUSTIFICATION :
      This CA is trusted by nearly all browser vendors (Android, Safari, Mozilla Firefox, Google Chrome, Opera, Netscape, Internet Explorer and many more) and according to my information from Eddy Nigg the CA is among the top 10 issuers. I see no reason why Oracle should not trust StartCom. It is not clear why nearly all browsers trust StartCom-signed HTTPS websites, but Java does not.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The root certificate of this CA should be added to the Java TrustStore, so that Secure Communications can be established.
      ACTUAL -
      An exception is thrown because the PKIX path cannot be verified.

      ---------- BEGIN SOURCE ----------
      import org.junit.Test;
      import java.io.IOException;
      import java.net.URL;
      import java.net.URLConnection;

      public class SecureCommunicationsTest {

      @Test
      public void startComTest throws IOException {
      URL urlobj = new URL("https://www.startssl.com/");
      urlobj.openConnection().getContent(); // Exception
      }

      }

      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      1) To workaround, you have to force the end-user to include the StartCom CA with keytool. This is not easy because not every user knows how to work with keytool and there will be the urge that users want to have support and/or don't trust our application because of the Exceptions that are thrown when legitimate websites are accessed via HTTPS.

      2) A very unclean workaround would be in overwriting the TrustManager and allow all certificates: https://www.viathinksoft.de/svn/statmon/trunk/jstatmon/src/de/viathinksoft/statusmon/interpreter/util/web/CustomTrustManager.java . I am not happy with this solution, but I do not want that my users get Exceptions for websites which are signed by a trustful CA.

      3) The third workaround would be in creating an own TrustStore and add it to the Java application:

      System.setProperty("javax.net.ssl.trustStore", "cacert.jks");

        Issue Links

          Activity

          Hide
          wetmore Bradford Wetmore added a comment -
          BT2:EVALUATION

          This appears to be a user request, and not coming from StartCom. Generally we work directly with the CA to include their certs into the cacerts file.
          Show
          wetmore Bradford Wetmore added a comment - BT2:EVALUATION This appears to be a user request, and not coming from StartCom. Generally we work directly with the CA to include their certs into the cacerts file.
          Hide
          mullan Sean Mullan added a comment -
          BT2:EVALUATION

          Yes, we do not accept requests from users to add new CA root certs in the JRE. The CA must initiate a request to be included in the JRE. I would encourage you to contact StartCom. See: http://www.oracle.com/technetwork/java/index-139231.html#1 for more information on submitting a request.
          Show
          mullan Sean Mullan added a comment - BT2:EVALUATION Yes, we do not accept requests from users to add new CA root certs in the JRE. The CA must initiate a request to be included in the JRE. I would encourage you to contact StartCom. See: http://www.oracle.com/technetwork/java/index-139231.html#1 for more information on submitting a request.

            People

            • Assignee:
              mullan Sean Mullan
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: