On Dec 7, 2009, at 3:51 AM, Brendon McLean wrote:
> On 7 Dec 2009, at 13:34 , Maarten Hazewinkel wrote:
>> I can confirm that this also affects my system.
>> I did some comparisons with a JDK 1.6 download on Linux, and the Apple-supplied cacerts file is much larger (179k instead of 74k), and appears to contain a lot more certificates.
>> There may be good reasons for that (I haven't had an opportunity to compare before and after the update).
>> It may also be an intentional change, but in that case I fail to see it in the release notes, where I would espect it to be mentioned.
>> In any case, this change does not prevent normal SSL based connections from working (I did a few tests to check that).
>> If it is intentional, it is probably based on the general idea that individual applications/users should not be messing about with the base cacerts file, but should be adding their own required certificates through other mechanisms, such as providing their own TrustManager.
> You're absolutely right that we shouldn't be messing around with the installed cacerts file. Unfortunately, this bad practice has become almost standard practice (largely owing to Java's rigid enforcement of trust for HTTPS connections). For example, in my case, it is the only way to connect to a Jetbrains TeamCity build server over HTTPS.
Please file a bug at <http://bugreporter.apple.com> requesting the cacerts keystore password to be changed back. I don't believe any of us realized that digging around in the cacerts file was such a common practice. It may also be worth filing an RFE at <http://bugs.sun.com/> for a more robust or lightweight way to supplement the cacerts data (obviously with the SecurityManager's blessing).
Please also note that the release notes (<http://developer.apple.com/mac/library/releasenotes/CrossPlatform/JavaSnowLeopardUpdate1LeopardUpdate6RN>) are not an exhaustive change fix list, but rather a list of bugs various team members think developers will be interested in.
Java Runtime Engineer
Apple Inc. _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden