-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 567504 - Use system trust store on Windows instead of cacerts #929
base: master
Are you sure you want to change the base?
Conversation
Do we generally expect that the Windows trust store will be more up-to-date? I.e., is there a possibility that a recently published Termurin-based JRE would have root certificates not in the Windows trust store? |
That's certainly a possibility but unlikely that this should cause any trouble. Microsoft regularly updates the trusted roots: I guess it comes down to what expectations of users we want to fulfill. The operating system trust store is the one users are used to (e.g. in browsers) and what they probably expect to be used in arbitrary 3rd party applications. It may also contains corporate specific certificates. Our experience is that it is quite unintuitive that the EPP packages come with their own cacerts ('Why does it work in my browser but not in Eclipse?') |
This issue of certificates used by a corporate firewall is quite a common problem and with an embedded JRE this is even harder for users to fix, especially for the installer where the whole thing is packaged as a *.exe... |
Note that I tried these options in the installer, but the result just hangs trying to access the internet. I have not had time to track down what might be causing that. Maybe the installer is special because it extracts itself into the temp folder. Using the options with a debug launch works fine... |
I went trough the JDK sources and apparently the correct properties to set actually are
instead of
Can you see if using |
Yes, the installer works with this in the product:
|
Is there anything still planned here? |
I've not changed this for the installer because I'm kind of scared to do that because this isn't something I can really test... |
So should this one be closed if nothing will be done? |
I do get the feeling this is a correct and good thing. I’ve seen more than once this solves problems inside firewalls. |
@sratz: Should we merge this? |
Use the Windows operating system trust store instead of the cacerts bundled with the JVM. https://bugs.eclipse.org/bugs/show_bug.cgi?id=567504
0e47035
to
583c1db
Compare
I updated the PR to use the correct Technically this works, but
|
@niraj-modi Would you please review this one as it's Windows specific? |
What is the status here? |
Use the Windows operating system trust store instead of the cacerts bundled with the JVM.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567504