Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 2.11.1.6
-
Component/s: web service bug
-
Labels:None
-
Environment:Windows, macOS, Linux
Java 1.8, Java 11 even with up-to-date replacement
Description
The new PFAM SSL certificates (which had previously been out of date from 27 Dec 2021, and were replaced on 10 Jan 2022) have an incomplete certificate chain, involving one downloadable intermediate Go Daddy certificate.
See https://www.ssllabs.com/ssltest/analyze.html?d=pfam.xfam.org and look for Certificate chain.
The cacerts in the bundled JRE is quite old, but even the most up-to-date JRE cacerts do not contain this either.
After trying various possibilities, I think the best fix for this will be to add
-Dcom.sun.security.enableAIAcaIssuers=true
as a property, ideally in jalview.bin.Jalview, but if it needs to be at launch, then in jalview.bin.Launcher and getdown. See https://security.stackexchange.com/questions/162592/why-do-i-need-to-add-intermediate-ca-certificates-to-jvms-cacerts-file
I will also contact xfam.org to ask if they can include the intermediate certificate which will fix previous versions.
See https://www.ssllabs.com/ssltest/analyze.html?d=pfam.xfam.org and look for Certificate chain.
The cacerts in the bundled JRE is quite old, but even the most up-to-date JRE cacerts do not contain this either.
After trying various possibilities, I think the best fix for this will be to add
-Dcom.sun.security.enableAIAcaIssuers=true
as a property, ideally in jalview.bin.Jalview, but if it needs to be at launch, then in jalview.bin.Launcher and getdown. See https://security.stackexchange.com/questions/162592/why-do-i-need-to-add-intermediate-ca-certificates-to-jvms-cacerts-file
I will also contact xfam.org to ask if they can include the intermediate certificate which will fix previous versions.
Attachments
Issue Links
- blocks
-
-
- Closed
-