[fedora-java] Re: ssl connections, cacerts

[Anthony Green]

On Mon, 2006-07-31 at 13:24 -0700, Casey Marshall wrote:
> Most GNU/Linux distributions have packages for a list of root  
> certificates, usually as just a bunch of separate PEM files. Does  
> Fedora have something like that? 

Yes.  It looks like openssl ships with certificates. kdelibs does as
well.  Perhaps there are others.

> If so, one good way to fix this  
> would be to generate a cacerts file (using gkeytool) that contains  
> the same list of certificates, and add that to the GCJ RPM. It is  
> somewhat preferable for distributions to figure out which root  
> certificates they want to use, than for Classpath to arbitrarily  
> decide what certificates to include, IMO.

Sounds good.  This should probably go in the java-1.4.2-gcj-compat
package (our JDK compatibility layer on top of gcj).  We could simply
"BuildRequire" openssl to generate and package the cacerts files.

> Does that make sense? I can explain how to generate such a cacerts  
> file from a bunch of separate certificates, if you like.

That would be great.  I've never run gkeytool before.

> Additionally, loading cacerts isn't even necessary with Classpath:  
> Jessie uses an internal list of root certificates (approximately the  
> same list you'll find by default in e.g. Firefox) if no other  
> certificates are provided. Nice to see that the RSSOwl people had to  
> make this crap so "Easy." A bug (or maybe just some harsh words)  
> upstream is also advisable.

Ok.

Thanks,

AG