Uploaded image for project: 'Lucee Development'
  1. LDEV-916

Included cacerts trust store is out of date

    Details

    • Type: Bug
    • Status: Deployed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.5.2.018, 5.0.0.252, 5.1.0.17
    • Fix Version/s: 5.0.1.80
    • Environment:

      Tested on Mac and Linux, on Tomcat and with express, verified in slack #docker

      Description

      cacerts trust store included with Lucee is from September of 2015... In particular a bunch of CA changes were made to the Mozilla CA trust store in December of 2015, which are missing.

      Notably, Mailgun's cert, watsonplatform's cert....

      I'm not sure why Lucee is packaging a truststore in the jar - it seems the OS and JVM would both have more up to date versions than what is included in git. In particular, Lucee's trust store has 153 CA's in it. Debian's trust store from December has 174 certificates in it.

      http://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20141019+deb8u1_changelog

      Short term fix -
      1) Docker images should copy from Debian's trust store into lucee. This has already been done and accepted by @modius. https://github.com/lucee/lucee-dockerfiles/pull/28
      2) AMI images for Lucee should do the same thing - if using Debian/Ubuntu as a base, make sure your ca-certificates package is generating /etc/ssl/certs/java/cacerts. (you may need ca-certificates-java) Copy that cacerts file over top of the one at lucee-server/context/security/cacerts before imaging. (mental note - CC Patrick Quinn)
      3) I will issue PR's for 4.5, 5.0 and 5.1 to update the cacerts file (with a test case) to the most recent store from debian jessie.

      For Long Term - I think it's worth discussing whether Lucee should distribute a trust store at all. I would argue that Lucee should not. The OS and JVM will likely have more up to date versions, and honoring the system property allows the user to control the trust store further. In the default case now, the store is old. In the default case if we didn't distribute a store, it would be more up to date.

      More tickets forthcoming to further discuss why Lucee distributes a trust store - and if it's solely to allow adding certs via the administrator, they should be merged in with the system store, not create a separate point of maintenance.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                michaeloffner Michael Offner
                Reporter:
                whitemystic Joseph Gooch
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: