Modify

Opened 4 months ago

Last modified 4 weeks ago

#14652 new enhancement

Remove Let's Encrypt certificate

Reported by: Don-vip Owned by: team
Priority: normal Milestone: 17.12
Component: Core Version:
Keywords: certificate lets encrypt root ca Cc:

Description

We added DST_Root_CA_X3 CA (see #12264) in March 2016 because this CA was massively adopted on the web but Java was lagging behind everyone.

Java does support Let's Encrypt now, since 8u101 released in July 2016.

Looking at usage statistics, 82.5% of our users use a compatible version (as of April 2017):

J        649 ( 5.7%) Java/1.8.0_101
J        120 ( 1.1%) Java/1.8.0_102
J       1124 ( 9.9%) Java/1.8.0_111
J        103 ( 0.9%) Java/1.8.0_112
J       7366 (64.9%) Java/1.8.0_121

And 17% do not:

J          9 ( 0.1%) Java/1.8.0
J         17 ( 0.1%) Java/1.8.0_05
J          9 ( 0.1%) Java/1.8.0_11
J         22 ( 0.2%) Java/1.8.0_20
J        122 ( 1.1%) Java/1.8.0_25
J        144 ( 1.3%) Java/1.8.0_31
J         56 ( 0.5%) Java/1.8.0_40
J        126 ( 1.1%) Java/1.8.0_45
J         81 ( 0.7%) Java/1.8.0_51
J        129 ( 1.1%) Java/1.8.0_60
J         96 ( 0.8%) Java/1.8.0_65
J        246 ( 2.2%) Java/1.8.0_66
J         52 ( 0.5%) Java/1.8.0_71
J          6 ( 0.1%) Java/1.8.0_72
J         97 ( 0.9%) Java/1.8.0_73
J         41 ( 0.4%) Java/1.8.0_74
J        141 ( 1.2%) Java/1.8.0_77
J        461 ( 4.1%) Java/1.8.0_91
J         62 ( 0.5%) Java/1.8.0_92

We should remove it when the percentage of impacted users drops to a very small number (<5% ?).

Attachments (0)

Change History (14)

comment:1 Changed 4 months ago by stoecker

Did you check for all or only for Windows users?

comment:2 Changed 4 months ago by Don-vip

Type: defectenhancement

comment:3 Changed 4 months ago by Don-vip

I just checked the version, so all users. Indeed it does only affect Windows and Mac users, so the real percentage is a bit lower than 17%. Do we have a command line option to filter by OS?

comment:4 Changed 4 months ago by stoecker

Yes: grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin

Last edited 4 weeks ago by Don-vip (previous) (diff)

comment:5 Changed 4 months ago by Don-vip

OK so this gives 20.3% of Windows/Mac users not compatible:

J         15 ( 0.2%) Java/1.8.0_05
J          7 ( 0.1%) Java/1.8.0_11
J         21 ( 0.2%) Java/1.8.0_20
J        116 ( 1.3%) Java/1.8.0_25
J        146 ( 1.7%) Java/1.8.0_31
J         54 ( 0.6%) Java/1.8.0_40
J        125 ( 1.4%) Java/1.8.0_45
J         77 ( 0.9%) Java/1.8.0_51
J        125 ( 1.4%) Java/1.8.0_60
J         94 ( 1.1%) Java/1.8.0_65
J        239 ( 2.8%) Java/1.8.0_66
J         49 ( 0.6%) Java/1.8.0_71
J         91 ( 1.1%) Java/1.8.0_73
J         38 ( 0.4%) Java/1.8.0_74
J        103 ( 1.2%) Java/1.8.0_77
J        399 ( 4.6%) Java/1.8.0_91
J         57 ( 0.7%) Java/1.8.0_92

and 79.5% compatible:

J        604 ( 7.0%) Java/1.8.0_101
J        103 ( 1.2%) Java/1.8.0_102
J        913 (10.5%) Java/1.8.0_111
J         88 ( 1.0%) Java/1.8.0_112
J       5179 (59.8%) Java/1.8.0_121

100% of Linux users are compatible :)

comment:6 Changed 4 months ago by bastiK

What are currently the sites that use Let's encrypt? I.e. how noticeable will it be for those users if we drop the certificate?

comment:7 Changed 4 months ago by stoecker

From our Maps? Maybe nearly none? Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

comment:8 in reply to:  7 ; Changed 4 months ago by bastiK

Replying to stoecker:

From our Maps?

Any URL a user might want to load from JOSM.

Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.

If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)

comment:9 in reply to:  8 ; Changed 4 months ago by stoecker

Replying to bastiK:

Replying to stoecker:

From our Maps?

Any URL a user might want to load from JOSM.

Well, overpass-api.de

Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.

If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)

As there is no real reason to remove it from out code except a feeling of "keeping code clean" there is no need to hurry in any way. We'll reevaluate in August and if not reasonable then in December and so on. Having it added does no harm, as it follows the guidelines of other software and even Java. We did not make our own rules.

comment:10 in reply to:  9 Changed 4 months ago by bastiK

Replying to stoecker:

Replying to bastiK:

Any URL a user might want to load from JOSM.

Well, overpass-api.de

Okay, then we have a good reason to keep it in for now.

comment:11 Changed 3 months ago by Don-vip

In 12219/josm:

see #14652 - ask Windows/macOS users to update their version of Java when it expires (i.e when the built-in JRE expiration date is passed, about 4 months after release, 1 month after Java should have asked to update by itself). It currently proposes to update all versions of Java 8 up to update 121, released on January 17, 2017, as its expiration date is May 18, 2017.

comment:12 Changed 3 months ago by Don-vip

Stats update:

16.9% not compatible:

J          6 ( 0.1%) Java/1.8.0
J          9 ( 0.2%) Java/1.8.0_05
J         15 ( 0.3%) Java/1.8.0_11
J          7 ( 0.1%) Java/1.8.0_20
J          1 ( 0.0%) Java/1.8.0_20-ea
J         95 ( 2.0%) Java/1.8.0_25
J         86 ( 1.8%) Java/1.8.0_31
J         41 ( 0.9%) Java/1.8.0_40
J         52 ( 1.1%) Java/1.8.0_45
J         31 ( 0.7%) Java/1.8.0_51
J         43 ( 0.9%) Java/1.8.0_60
J         37 ( 0.8%) Java/1.8.0_65
J         77 ( 1.6%) Java/1.8.0_66
J         24 ( 0.5%) Java/1.8.0_71
J          5 ( 0.1%) Java/1.8.0_72
J         43 ( 0.9%) Java/1.8.0_73
J         19 ( 0.4%) Java/1.8.0_74
J         48 ( 1.0%) Java/1.8.0_77
J        139 ( 2.9%) Java/1.8.0_91
J          9 ( 0.2%) Java/1.8.0_92

83.1% compatible:

J        221 ( 4.7%) Java/1.8.0_101
J         46 ( 1.0%) Java/1.8.0_102
J        322 ( 6.8%) Java/1.8.0_111
J         39 ( 0.8%) Java/1.8.0_112
J        860 (18.2%) Java/1.8.0_121
J       2438 (51.6%) Java/1.8.0_131

It should speed up this month thanks to r12219 suggesting people to update their old versions of Java.

comment:13 Changed 5 weeks ago by Don-vip

JDK 8u141 has added new Let's Encrypt root CA:

ISRG Root X1 
alias: letsencryptisrgx1 
DN: CN=ISRG Root X1, O=Internet Security Research Group, C=US

comment:14 Changed 4 weeks ago by Don-vip

Milestone: 17.0817.12

Stats update (grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin):

14.1% not compatible:

J         11 ( 0.1%) Java/1.8.0_05
J          7 ( 0.1%) Java/1.8.0_11
J         38 ( 0.3%) Java/1.8.0_20
J        125 ( 1.1%) Java/1.8.0_25
J        144 ( 1.3%) Java/1.8.0_31
J         44 ( 0.4%) Java/1.8.0_40
J        153 ( 1.4%) Java/1.8.0_45
J         56 ( 0.5%) Java/1.8.0_51
J        119 ( 1.1%) Java/1.8.0_60
J         94 ( 0.9%) Java/1.8.0_65
J        179 ( 1.6%) Java/1.8.0_66
J         45 ( 0.4%) Java/1.8.0_71
J         15 ( 0.1%) Java/1.8.0_72
J         85 ( 0.8%) Java/1.8.0_73
J         15 ( 0.1%) Java/1.8.0_74
J        116 ( 1.1%) Java/1.8.0_77
J        248 ( 2.3%) Java/1.8.0_91
J         51 ( 0.5%) Java/1.8.0_92

85.9% compatible:

J        323 ( 2.9%) Java/1.8.0_101
J         62 ( 0.6%) Java/1.8.0_102
J        433 ( 3.9%) Java/1.8.0_111
J         57 ( 0.5%) Java/1.8.0_112
J        922 ( 8.4%) Java/1.8.0_121
J       3613 (32.8%) Java/1.8.0_131
J       3504 (31.9%) Java/1.8.0_141
J        515 ( 4.7%) Java/1.8.0_144

The adoption rate is way too slow. Pushing it to December.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The owner will remain team.
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from team to the specified user. Next status will be 'new'.
Next status will be 'needinfo'.The owner will change to Don-vip
as duplicate The resolution will be set to duplicate. Next status will be 'closed'.The specified ticket will be cross-referenced with this ticket
The owner will be changed from team to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.