Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] Platform: Enable usage of operating system root certificates / trust store in default SSLContext?
  • From: "Ratz, Sebastian" <sebastian.ratz@xxxxxxx>
  • Date: Wed, 7 Oct 2020 13:45:50 +0000
  • Accept-language: en-DE, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sap.com; dmarc=pass action=none header.from=sap.com; dkim=pass header.d=sap.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=thTy2pCy5WT5Zn6S4gIcE1W+4LCqPhnPwOEeJ5V8sXA=; b=nkpXYgg0wOVboLpXE/kMBnVKmLLfpnQzSi/ckP4LeK2EidZ2W2nlsikjZIkOaAxbxV35hwABsdFF0vTDRFnb2zv1Mn08k88xTz0hTaVNj6ycmdogcOeXW+wuGWow7o8CqaRM6nq+40mLacI/fSKa2xlKHv4HaNsIpo/OiItBgmkF27bGwbJN149kgw/AptnkbFDzJQTaRUaLfDQXk7jm5wUAQbZ63crLF4lvatY/CfSy+5hu2d/pZUP6XDC1RvfJ4m/YImZ3sbbyl4ozVXlF4t8am2gfuUwelPL0vdHPQBW2fgqc+sLJmGYn4++EW1kRXwP4VCA6ni3it7YI4KuVfg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T0kzJCnSP80WYnJY7mfcTSWqQIUrkhVNtbIxNGUM2NwHjuou4NqNrULXT70zggicXzETJYVR8nDUh5etqUnFzfKTihIDRWaIQ7a1sjxN5D0oSQJJzQtFVyg89aFrPuX0RE2wH84UKKR10qv+DGx2Ufd7VDgA2IGhYPUQCyVK4LbnYaAV/ruqHJ1QwS3BV2+wmPn0PpIXw6qYw9Oj6l9fKpDysLahE9hb409bpruV2UggjcnZwU9lBfcttBI89QluHrxBCaY2rlHa5AHuXeMMXMY7hPdAX7hJ09F6BTXTv6eDDSDgDg+eggxZOg97zyn3fNug5RtGM4+oMosjLqXRKg==
  • Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
  • Ironport-sdr: MVTdXvF0L0FOVLN8TT0fcpqKG+rgkvq/xD3wL6joAPvM5vnzGwgblgyeEvuneldHBnm/oy8LnR eRsCRz2uPC+QRoWL1gIhKZ7+qgX7TEU4TJ1dOv1AsMmT0YRbvIrF7sVeze4/v6HqYUKsf6ohqo V6Vpq0IFl25UnTb8iTRcb6R1VpE5AnKFkFWtodHFbSs3FoapVCeziyiRqQLGbBRjTVAItMyrMf yGOctmKMMlCR1bPuEamGB9JbxIHwPa2R5mccLW0pbXiSzS/+gXAPYQJhtT5Pr/Qax93OOGEOWe WlHaUgi6NhXkTqmNbshotbjc
  • List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev>
  • List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AdacqP/vNzwnird4TWag+TZRE9AdeA==
  • Thread-topic: Platform: Enable usage of operating system root certificates / trust store in default SSLContext?

Hello,

 

A JVM brings its own set of root CA certificates as the root of trust (lib/security/cacerts).

 

This also means that Eclipse relies on that trust store for every HTTPS call, e.g. the update mechanism (Eclipse update sites use HTTPS since not too long, so this was not that big of a problem before).

 

 

However – especially in many corporate environments – TLS injection proxies are deployed that hook into TLS connections and re-sign traffic using a new certificate.

Usually this certificate is also deployed into the operating system trust store, such that browser and other functionality is not impacted.

However, since Eclipse relies on the JVM trust store, Eclipse is left out of the loop here.

 

This then leads to typical problems such as

sun.security.validator.ValidatorException … PKIX path building failed: sun.security.provider.SunCertPathBuilderException: unable to find valid certification path to requested target

 

 

In order to work around that issue we have implemented an javax.net.ssl.SSLContext with custom X509KeyManager and X509TrustManager that additionally load the operating system trust/key store (Windows-ROOT and Windows-MY on Windows, and KeychainStore on macOs). We use this for HTTPS calls that we make from within our own plugins.

 

But since we do not modify the JVM-wide default (javax.net.ssl.SSLContext.setDefault(SSLContext)) in order to avoid influencing any potential 3rd-party plugins, we still have to deal with customer problems where e.g. the update mechanism is affected.

 

 

Is there interest in the platform to have this functionality in the core platform?

 

We could then contribute our implementation and Eclipse Platform could then use SSLContext.setDefault() to modify the default very early-on during startup, optionally with a preference to enable/disable this behavior.

 

 

An initial list that would be affected by (would benefit from) this:

  • Update mechanism
  • EGit

 

Since the embedded browser has always used the OS trust store, a discrepancy between that and HTTPS calls made from within Eclipse would also be resolved.

 

 

Best regards,

Sebastian Ratz

Back to the top