-
Enhancement
-
Resolution: Duplicate
-
P4
-
None
-
7
-
x86
-
windows_7
A DESCRIPTION OF THE REQUEST :
Please add the StartCom CA into the Java Trust Store.
The website of the CA: http://www.startssl.com/
The root certificate can be found here: http://www.startssl.com/certs/ca.cer
JUSTIFICATION :
This CA is trusted by nearly all browser vendors (Android, Safari, Mozilla Firefox, Google Chrome, Opera, Netscape, Internet Explorer and many more) and according to my information from Eddy Nigg the CA is among the top 10 issuers. I see no reason why Oracle should not trust StartCom. It is not clear why nearly all browsers trust StartCom-signed HTTPS websites, but Java does not.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The root certificate of this CA should be added to the Java TrustStore, so that Secure Communications can be established.
ACTUAL -
An exception is thrown because the PKIX path cannot be verified.
---------- BEGIN SOURCE ----------
import org.junit.Test;
import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
public class SecureCommunicationsTest {
@Test
public void startComTest throws IOException {
URL urlobj = new URL("https://www.startssl.com/");
urlobj.openConnection().getContent(); // Exception
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
1) To workaround, you have to force the end-user to include the StartCom CA with keytool. This is not easy because not every user knows how to work with keytool and there will be the urge that users want to have support and/or don't trust our application because of the Exceptions that are thrown when legitimate websites are accessed via HTTPS.
2) A very unclean workaround would be in overwriting the TrustManager and allow all certificates: https://www.viathinksoft.de/svn/statmon/trunk/jstatmon/src/de/viathinksoft/statusmon/interpreter/util/web/CustomTrustManager.java . I am not happy with this solution, but I do not want that my users get Exceptions for websites which are signed by a trustful CA.
3) The third workaround would be in creating an own TrustStore and add it to the Java application:
System.setProperty("javax.net.ssl.trustStore", "cacert.jks");
Please add the StartCom CA into the Java Trust Store.
The website of the CA: http://www.startssl.com/
The root certificate can be found here: http://www.startssl.com/certs/ca.cer
JUSTIFICATION :
This CA is trusted by nearly all browser vendors (Android, Safari, Mozilla Firefox, Google Chrome, Opera, Netscape, Internet Explorer and many more) and according to my information from Eddy Nigg the CA is among the top 10 issuers. I see no reason why Oracle should not trust StartCom. It is not clear why nearly all browsers trust StartCom-signed HTTPS websites, but Java does not.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The root certificate of this CA should be added to the Java TrustStore, so that Secure Communications can be established.
ACTUAL -
An exception is thrown because the PKIX path cannot be verified.
---------- BEGIN SOURCE ----------
import org.junit.Test;
import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
public class SecureCommunicationsTest {
@Test
public void startComTest throws IOException {
URL urlobj = new URL("https://www.startssl.com/");
urlobj.openConnection().getContent(); // Exception
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
1) To workaround, you have to force the end-user to include the StartCom CA with keytool. This is not easy because not every user knows how to work with keytool and there will be the urge that users want to have support and/or don't trust our application because of the Exceptions that are thrown when legitimate websites are accessed via HTTPS.
2) A very unclean workaround would be in overwriting the TrustManager and allow all certificates: https://www.viathinksoft.de/svn/statmon/trunk/jstatmon/src/de/viathinksoft/statusmon/interpreter/util/web/CustomTrustManager.java . I am not happy with this solution, but I do not want that my users get Exceptions for websites which are signed by a trustful CA.
3) The third workaround would be in creating an own TrustStore and add it to the Java application:
System.setProperty("javax.net.ssl.trustStore", "cacert.jks");
- duplicates
-
-
- Closed
-