Modify

Opened 2 weeks ago

Last modified 2 weeks ago

#14652 new enhancement

Remove Let's Encrypt certificate

Reported by: Don-vip Owned by: team
Priority: normal Milestone: 17.08
Component: Core Version:
Keywords: certificate lets encrypt root ca Cc:

Description

We added DST_Root_CA_X3 CA (see #12264) in March 2016 because this CA was massively adopted on the web but Java was lagging behind everyone.

Java does support Let's Encrypt now, since 8u101 released in July 2016.

Looking at usage statistics, 82.5% of our users use a compatible version (as of April 2017):

J        649 ( 5.7%) Java/1.8.0_101
J        120 ( 1.1%) Java/1.8.0_102
J       1124 ( 9.9%) Java/1.8.0_111
J        103 ( 0.9%) Java/1.8.0_112
J       7366 (64.9%) Java/1.8.0_121

And 17% do not:

J          9 ( 0.1%) Java/1.8.0
J         17 ( 0.1%) Java/1.8.0_05
J          9 ( 0.1%) Java/1.8.0_11
J         22 ( 0.2%) Java/1.8.0_20
J        122 ( 1.1%) Java/1.8.0_25
J        144 ( 1.3%) Java/1.8.0_31
J         56 ( 0.5%) Java/1.8.0_40
J        126 ( 1.1%) Java/1.8.0_45
J         81 ( 0.7%) Java/1.8.0_51
J        129 ( 1.1%) Java/1.8.0_60
J         96 ( 0.8%) Java/1.8.0_65
J        246 ( 2.2%) Java/1.8.0_66
J         52 ( 0.5%) Java/1.8.0_71
J          6 ( 0.1%) Java/1.8.0_72
J         97 ( 0.9%) Java/1.8.0_73
J         41 ( 0.4%) Java/1.8.0_74
J        141 ( 1.2%) Java/1.8.0_77
J        461 ( 4.1%) Java/1.8.0_91
J         62 ( 0.5%) Java/1.8.0_92

We should remove it when the percentage of impacted users drops to a very small number (<5% ?).

Attachments (0)

Change History (10)

comment:1 Changed 2 weeks ago by stoecker

Did you check for all or only for Windows users?

comment:2 Changed 2 weeks ago by Don-vip

Type: defectenhancement

comment:3 Changed 2 weeks ago by Don-vip

I just checked the version, so all users. Indeed it does only affect Windows and Mac users, so the real percentage is a bit lower than 17%. Do we have a command line option to filter by OS?

comment:4 Changed 2 weeks ago by stoecker

Yes: grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -j 8 /dev/stdin

Last edited 2 weeks ago by Don-vip (previous) (diff)

comment:5 Changed 2 weeks ago by Don-vip

OK so this gives 20.3% of Windows/Mac users not compatible:

J         15 ( 0.2%) Java/1.8.0_05
J          7 ( 0.1%) Java/1.8.0_11
J         21 ( 0.2%) Java/1.8.0_20
J        116 ( 1.3%) Java/1.8.0_25
J        146 ( 1.7%) Java/1.8.0_31
J         54 ( 0.6%) Java/1.8.0_40
J        125 ( 1.4%) Java/1.8.0_45
J         77 ( 0.9%) Java/1.8.0_51
J        125 ( 1.4%) Java/1.8.0_60
J         94 ( 1.1%) Java/1.8.0_65
J        239 ( 2.8%) Java/1.8.0_66
J         49 ( 0.6%) Java/1.8.0_71
J         91 ( 1.1%) Java/1.8.0_73
J         38 ( 0.4%) Java/1.8.0_74
J        103 ( 1.2%) Java/1.8.0_77
J        399 ( 4.6%) Java/1.8.0_91
J         57 ( 0.7%) Java/1.8.0_92

and 79.5% compatible:

J        604 ( 7.0%) Java/1.8.0_101
J        103 ( 1.2%) Java/1.8.0_102
J        913 (10.5%) Java/1.8.0_111
J         88 ( 1.0%) Java/1.8.0_112
J       5179 (59.8%) Java/1.8.0_121

100% of Linux users are compatible :)

comment:6 Changed 2 weeks ago by bastiK

What are currently the sites that use Let's encrypt? I.e. how noticeable will it be for those users if we drop the certificate?

comment:7 Changed 2 weeks ago by stoecker

From our Maps? Maybe nearly none? Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

comment:8 in reply to:  7 ; Changed 2 weeks ago by bastiK

Replying to stoecker:

From our Maps?

Any URL a user might want to load from JOSM.

Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.

If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)

comment:9 in reply to:  8 ; Changed 2 weeks ago by stoecker

Replying to bastiK:

Replying to stoecker:

From our Maps?

Any URL a user might want to load from JOSM.

Well, overpass-api.de

Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.

If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)

As there is no real reason to remove it from out code except a feeling of "keeping code clean" there is no need to hurry in any way. We'll reevaluate in August and if not reasonable then in December and so on. Having it added does no harm, as it follows the guidelines of other software and even Java. We did not make our own rules.

comment:10 in reply to:  9 Changed 2 weeks ago by bastiK

Replying to stoecker:

Replying to bastiK:

Any URL a user might want to load from JOSM.

Well, overpass-api.de

Okay, then we have a good reason to keep it in for now.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The owner will remain team.
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from team to the specified user. Next status will be 'new'.
Next status will be 'needinfo'.The owner will change to Don-vip
as duplicate The resolution will be set to duplicate. Next status will be 'closed'.The specified ticket will be cross-referenced with this ticket
The owner will be changed from team to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.