JDK-8189357 : Release Note: TLS does not work by default on OpenJDK 9
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P2
  • Status: Resolved
  • Resolution: Delivered
  • Submitted: 2017-10-16
  • Updated: 2017-12-20
  • Resolved: 2017-12-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
	The OpenJDK 9 binary for Linux x64 contains an empty `cacerts` keystore. This prevents TLS connections from being established because there are no Trusted Root Certificate Authorities installed. You may see an exception like the following: 

`javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty` 

As a workaround, users can set the `javax.net.ssl.trustStore` System Property to use a different keystore. For example, the `ca-certificates` package on Oracle Linux 7 contains the set of Root CA certificates chosen by the Mozilla Foundation for use with the Internet PKI. This package installs a trust store at `/etc/pki/java/cacerts`, which can be used by OpenJDK 9. 

Only the OpenJDK 64 bit Linux download is impacted. This issue does not apply to any Oracle JRE/JDK download. 

Progress on open-sourcing the Oracle JDK Root CAs can be tracked through the issue JDK-8189131.
I am re-opening this task to update release notes.