Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load default Java truststore for --use-system-truststore #19365

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Load default Java truststore for --use-system-truststore #19365

wants to merge 1 commit into from

Conversation

oneonestar
Copy link
Member

@oneonestar oneonestar commented Oct 11, 2023
edited
Loading

Description

Fix #19353 (--use-system-truststore won't use default Java truststore)

Additional context and related issues

The default Java truststore hasn't been used in Linux.

// This should be the correct way to load Java default truststore
trustManagerFactory.init((KeyStore)null)

// However we are doing something like this:
KeyStore trustStore = KeyStore.getInstance(systemTrustStoreType.orElse(KeyStore.getDefaultType()));
trustStore.load(null, null);
...
trustManagerFactory.init(trustStore);

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# Section
* Fix --use-system-truststore won't use default Java truststore. ({issue}`19353`)

Test

Before fix 
bash-5.1# cat /etc/rocky-release
Rocky Linux release 9.2 (Blue Onyx)

bash-5.1# java -Djavax.net.debug=ssl -jar ./ori-trino-cli-428-executable.jar   --server https://<Trino>:443   --use-system-truststore   --user test_user --debug   --keystore-path=./client_keystore.pem   --execute="select 1"
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:22.313 JST|SSLCipher.java:466|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:22.325 JST|SSLCipher.java:466|jdk.tls.keyLimits:  entry =  ChaCha20-Poly1305 KeyUpdate 2^37. CHACHA20-POLY1305:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:22.815 JST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:22.817 JST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|WARNING|10|main|2023-10-12 08:49:22.831 JST|SSLSocketImpl.java:1676|handling exception (
"throwable" : {
  java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:101)
  	at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:309)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:198)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
  	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
  	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
  	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
  	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
  	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
  	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
  	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
  	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
  	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
  	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
  	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
  	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
  	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
  	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
  	at io.trino.client.JsonResponse.execute(JsonResponse.java:113)
  	at io.trino.client.StatementClientV1.<init>(StatementClientV1.java:126)
  	at io.trino.client.StatementClientFactory.newStatementClient(StatementClientFactory.java:28)
  	at io.trino.cli.QueryRunner.startInternalQuery(QueryRunner.java:99)
  	at io.trino.cli.QueryRunner.startQuery(QueryRunner.java:85)
  	at io.trino.cli.Console.process(Console.java:363)
  	at io.trino.cli.Console.executeCommand(Console.java:318)
  	at io.trino.cli.Console.run(Console.java:182)
  	at io.trino.cli.Console.call(Console.java:109)
  	at io.trino.cli.Console.call(Console.java:79)
  	at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
  	at picocli.CommandLine.access$1500(CommandLine.java:148)
  	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
  	at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
  	at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
  	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
  	at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
  	at picocli.CommandLine.execute(CommandLine.java:2170)
  	at io.trino.cli.Trino.main(Trino.java:47)
  Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  	at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
  	at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
  	at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
  	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:98)
  	... 53 more}

)
javax.net.ssl|ERROR|10|main|2023-10-12 08:49:22.833 JST|TransportContext.java:370|Fatal (INTERNAL_ERROR): Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (
"throwable" : {
  java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:101)
  	at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:309)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:198)
  	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
  	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
  	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
  	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
  	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
  	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
  	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
  	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
  	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
  	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
  	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
  	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
  	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
  	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
  	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
  	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
  	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
  	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
  	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
  	at io.trino.client.JsonResponse.execute(JsonResponse.java:113)
  	at io.trino.client.StatementClientV1.<init>(StatementClientV1.java:126)
  	at io.trino.client.StatementClientFactory.newStatementClient(StatementClientFactory.java:28)
  	at io.trino.cli.QueryRunner.startInternalQuery(QueryRunner.java:99)
  	at io.trino.cli.QueryRunner.startQuery(QueryRunner.java:85)
  	at io.trino.cli.Console.process(Console.java:363)
  	at io.trino.cli.Console.executeCommand(Console.java:318)
  	at io.trino.cli.Console.run(Console.java:182)
  	at io.trino.cli.Console.call(Console.java:109)
  	at io.trino.cli.Console.call(Console.java:79)
  	at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
  	at picocli.CommandLine.access$1500(CommandLine.java:148)
  	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
  	at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
  	at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
  	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
  	at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
  	at picocli.CommandLine.execute(CommandLine.java:2170)
  	at io.trino.cli.Trino.main(Trino.java:47)
  Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  	at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
  	at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
  	at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
  	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:98)
  	... 53 more}

)
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:22.835 JST|SSLSocketImpl.java:1759|close the underlying socket
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:22.835 JST|SSLSocketImpl.java:1785|close the SSL connection (passive)
java.io.UncheckedIOException: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at io.trino.client.JsonResponse.execute(JsonResponse.java:146)
	at io.trino.client.StatementClientV1.<init>(StatementClientV1.java:126)
	at io.trino.client.StatementClientFactory.newStatementClient(StatementClientFactory.java:28)
	at io.trino.cli.QueryRunner.startInternalQuery(QueryRunner.java:99)
	at io.trino.cli.QueryRunner.startQuery(QueryRunner.java:85)
	at io.trino.cli.Console.process(Console.java:363)
	at io.trino.cli.Console.executeCommand(Console.java:318)
	at io.trino.cli.Console.run(Console.java:182)
	at io.trino.cli.Console.call(Console.java:109)
	at io.trino.cli.Console.call(Console.java:79)
	at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
	at picocli.CommandLine.access$1500(CommandLine.java:148)
	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
	at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
	at picocli.CommandLine.execute(CommandLine.java:2170)
	at io.trino.cli.Trino.main(Trino.java:47)
Caused by: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1712)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:470)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
	at io.trino.client.JsonResponse.execute(JsonResponse.java:113)
	... 18 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:101)
	at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
	at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:309)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:183)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:198)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	... 37 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
	at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
	at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
	at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:98)
	... 53 more
After fix 
bash-5.1# java -Djavax.net.debug=ssl -jar ./modified-trino-cli-428-executable.jar \
  --server https://<Trino>:443 \
  --use-system-truststore \
  --user test_user --debug \
  --keystore-path=./client_keystore.pem \
  --execute="select 1"
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:12.421 JST|SSLCipher.java:466|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:12.433 JST|SSLCipher.java:466|jdk.tls.keyLimits:  entry =  ChaCha20-Poly1305 KeyUpdate 2^37. CHACHA20-POLY1305:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:12.944 JST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:12.946 JST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:12.977 JST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:12.981 JST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.102 JST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.103 JST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.108 JST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|10|main|2023-10-12 08:49:13.110 JST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-12 08:49:13.110 JST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-12 08:49:13.110 JST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-12 08:49:13.111 JST|X509Authentication.java:249|No X.509 cert selected for EdDSA
javax.net.ssl|ALL|10|main|2023-10-12 08:49:13.111 JST|X509Authentication.java:249|No X.509 cert selected for EdDSA
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.123 JST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
"1"
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.385 JST|SSLSocketImpl.java:577|duplex close of SSLSocket
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.402 JST|SSLSocketImpl.java:1785|close the SSL connection (passive)
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.403 JST|SSLSocketImpl.java:577|duplex close of SSLSocket
javax.net.ssl|DEBUG|10|main|2023-10-12 08:49:13.423 JST|SSLSocketImpl.java:1785|close the SSL connection (passive)

@cla-bot cla-bot bot added the cla-signed label Oct 11, 2023
@github-actions GitHub Actions
Copy link

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

@github-actions github-actions bot added the stale label Jan 10, 2024
@mosabua
Copy link
Member

mosabua commented Jan 11, 2024

I am not an expert here but I think this looks good. Could you maybe check @electrum or @dain ?

@github-actions github-actions bot removed the stale label Jan 12, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 2, 2024

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

@github-actions github-actions bot added the stale label Feb 2, 2024
@mosabua
Copy link
Member

mosabua commented Feb 2, 2024

@dain @electrum .. any chance to look?

@github-actions github-actions bot removed the stale label Feb 5, 2024
@github-actions GitHub Actions
Copy link

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

@github-actions github-actions bot added the stale label Feb 28, 2024
@github-actions GitHub Actions
Copy link

Closing this pull request, as it has been stale for six weeks. Feel free to re-open at any time.

@github-actions github-actions bot closed this Mar 21, 2024
@mosabua
Copy link
Member

mosabua commented Mar 27, 2024

This should be fine to merge .. reopening so @electrum or @dain can chime in

@mosabua mosabua reopened this Mar 27, 2024
@mosabua mosabua requested review from electrum and dain March 27, 2024 23:42
@github-actions github-actions bot removed the stale label Mar 28, 2024
@github-actions GitHub Actions
Copy link

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

@github-actions github-actions bot added the stale label Apr 19, 2024
@mosabua mosabua added stale-ignore Use this label on PRs that should be ignored by the stale bot so they are not flagged or closed. and removed stale labels Apr 30, 2024
electrum
electrum approved these changes Dec 18, 2024
View reviewed changes
Copy link
Member

@electrum electrum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the long delay in reviewing. I missed this one.

client/trino-client/src/main/java/io/trino/client/OkHttpUtil.java Outdated
trustStore.load(null, null);
KeyStore trustStore;
if (systemTrustStoreType.isPresent()) {
trustStore = KeyStore.getInstance(systemTrustStoreType.orElseGet(KeyStore::getDefaultType));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't need the .orElseGet() since the value is known to be present here, so this can be just .get()

@oneonestar oneonestar force-pushed the fix_system_truststore branch from 3259fe8 to ee3728f Compare December 24, 2024 07:25
@oneonestar oneonestar marked this pull request as draft December 24, 2024 07:31
@oneonestar
Copy link
Member Author

Could conflict with #22341. Need some time to investigate.

@oneonestar oneonestar force-pushed the fix_system_truststore branch 4 times, most recently from 8f90ae2 to 493bf66 Compare December 25, 2024 04:05
@oneonestar oneonestar force-pushed the fix_system_truststore branch from 493bf66 to f48be2c Compare December 25, 2024 04:06
@oneonestar oneonestar marked this pull request as ready for review December 25, 2024 04:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@electrum electrum electrum approved these changes

@dain dain Awaiting requested review from dain

Assignees
No one assigned
Labels
cla-signed stale-ignore Use this label on PRs that should be ignored by the stale bot so they are not flagged or closed.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

--use-system-truststore won't use default Java truststore
3 participants
@oneonestar @mosabua @electrum