#14652 closed enhancement (fixed)
Remove Let's Encrypt certificate
| Reported by: | Don-vip | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | 18.04 |
| Component: | Core | Version: | |
| Keywords: | certificate lets encrypt root ca | Cc: |
Description
We added DST_Root_CA_X3 CA (see #12264) in March 2016 because this CA was massively adopted on the web but Java was lagging behind everyone.
Java does support Let's Encrypt now, since 8u101 released in July 2016.
Looking at usage statistics, 82.5% of our users use a compatible version (as of April 2017):
J 649 ( 5.7%) Java/1.8.0_101 J 120 ( 1.1%) Java/1.8.0_102 J 1124 ( 9.9%) Java/1.8.0_111 J 103 ( 0.9%) Java/1.8.0_112 J 7366 (64.9%) Java/1.8.0_121
And 17% do not:
J 9 ( 0.1%) Java/1.8.0 J 17 ( 0.1%) Java/1.8.0_05 J 9 ( 0.1%) Java/1.8.0_11 J 22 ( 0.2%) Java/1.8.0_20 J 122 ( 1.1%) Java/1.8.0_25 J 144 ( 1.3%) Java/1.8.0_31 J 56 ( 0.5%) Java/1.8.0_40 J 126 ( 1.1%) Java/1.8.0_45 J 81 ( 0.7%) Java/1.8.0_51 J 129 ( 1.1%) Java/1.8.0_60 J 96 ( 0.8%) Java/1.8.0_65 J 246 ( 2.2%) Java/1.8.0_66 J 52 ( 0.5%) Java/1.8.0_71 J 6 ( 0.1%) Java/1.8.0_72 J 97 ( 0.9%) Java/1.8.0_73 J 41 ( 0.4%) Java/1.8.0_74 J 141 ( 1.2%) Java/1.8.0_77 J 461 ( 4.1%) Java/1.8.0_91 J 62 ( 0.5%) Java/1.8.0_92
We should remove it when the percentage of impacted users drops to a very small number (<5% ?).
Attachments (0)
Change History (19)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
| Type: | defect → enhancement |
|---|
comment:3 by , 8 years ago
I just checked the version, so all users. Indeed it does only affect Windows and Mac users, so the real percentage is a bit lower than 17%. Do we have a command line option to filter by OS?
comment:4 by , 8 years ago
Yes: grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin
comment:5 by , 8 years ago
OK so this gives 20.3% of Windows/Mac users not compatible:
J 15 ( 0.2%) Java/1.8.0_05 J 7 ( 0.1%) Java/1.8.0_11 J 21 ( 0.2%) Java/1.8.0_20 J 116 ( 1.3%) Java/1.8.0_25 J 146 ( 1.7%) Java/1.8.0_31 J 54 ( 0.6%) Java/1.8.0_40 J 125 ( 1.4%) Java/1.8.0_45 J 77 ( 0.9%) Java/1.8.0_51 J 125 ( 1.4%) Java/1.8.0_60 J 94 ( 1.1%) Java/1.8.0_65 J 239 ( 2.8%) Java/1.8.0_66 J 49 ( 0.6%) Java/1.8.0_71 J 91 ( 1.1%) Java/1.8.0_73 J 38 ( 0.4%) Java/1.8.0_74 J 103 ( 1.2%) Java/1.8.0_77 J 399 ( 4.6%) Java/1.8.0_91 J 57 ( 0.7%) Java/1.8.0_92
and 79.5% compatible:
J 604 ( 7.0%) Java/1.8.0_101 J 103 ( 1.2%) Java/1.8.0_102 J 913 (10.5%) Java/1.8.0_111 J 88 ( 1.0%) Java/1.8.0_112 J 5179 (59.8%) Java/1.8.0_121
100% of Linux users are compatible :)
comment:6 by , 8 years ago
What are currently the sites that use Let's encrypt? I.e. how noticeable will it be for those users if we drop the certificate?
follow-up: 8 comment:7 by , 8 years ago
From our Maps? Maybe nearly none? Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.
follow-up: 9 comment:8 by , 8 years ago
Replying to stoecker:
From our Maps?
Any URL a user might want to load from JOSM.
Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.
Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.
If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)
follow-up: 10 comment:9 by , 8 years ago
Replying to bastiK:
Replying to stoecker:
From our Maps?
Any URL a user might want to load from JOSM.
Well, overpass-api.de
Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.
Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.
If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)
As there is no real reason to remove it from out code except a feeling of "keeping code clean" there is no need to hurry in any way. We'll reevaluate in August and if not reasonable then in December and so on. Having it added does no harm, as it follows the guidelines of other software and even Java. We did not make our own rules.
comment:10 by , 8 years ago
comment:12 by , 7 years ago
Stats update:
16.9% not compatible:
J 6 ( 0.1%) Java/1.8.0 J 9 ( 0.2%) Java/1.8.0_05 J 15 ( 0.3%) Java/1.8.0_11 J 7 ( 0.1%) Java/1.8.0_20 J 1 ( 0.0%) Java/1.8.0_20-ea J 95 ( 2.0%) Java/1.8.0_25 J 86 ( 1.8%) Java/1.8.0_31 J 41 ( 0.9%) Java/1.8.0_40 J 52 ( 1.1%) Java/1.8.0_45 J 31 ( 0.7%) Java/1.8.0_51 J 43 ( 0.9%) Java/1.8.0_60 J 37 ( 0.8%) Java/1.8.0_65 J 77 ( 1.6%) Java/1.8.0_66 J 24 ( 0.5%) Java/1.8.0_71 J 5 ( 0.1%) Java/1.8.0_72 J 43 ( 0.9%) Java/1.8.0_73 J 19 ( 0.4%) Java/1.8.0_74 J 48 ( 1.0%) Java/1.8.0_77 J 139 ( 2.9%) Java/1.8.0_91 J 9 ( 0.2%) Java/1.8.0_92
83.1% compatible:
J 221 ( 4.7%) Java/1.8.0_101 J 46 ( 1.0%) Java/1.8.0_102 J 322 ( 6.8%) Java/1.8.0_111 J 39 ( 0.8%) Java/1.8.0_112 J 860 (18.2%) Java/1.8.0_121 J 2438 (51.6%) Java/1.8.0_131
It should speed up this month thanks to r12219 suggesting people to update their old versions of Java.
comment:13 by , 7 years ago
JDK 8u141 has added new Let's Encrypt root CA:
ISRG Root X1 alias: letsencryptisrgx1 DN: CN=ISRG Root X1, O=Internet Security Research Group, C=US
comment:14 by , 7 years ago
| Milestone: | 17.08 → 17.12 |
|---|
Stats update (grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin):
14.1% not compatible:
J 11 ( 0.1%) Java/1.8.0_05 J 7 ( 0.1%) Java/1.8.0_11 J 38 ( 0.3%) Java/1.8.0_20 J 125 ( 1.1%) Java/1.8.0_25 J 144 ( 1.3%) Java/1.8.0_31 J 44 ( 0.4%) Java/1.8.0_40 J 153 ( 1.4%) Java/1.8.0_45 J 56 ( 0.5%) Java/1.8.0_51 J 119 ( 1.1%) Java/1.8.0_60 J 94 ( 0.9%) Java/1.8.0_65 J 179 ( 1.6%) Java/1.8.0_66 J 45 ( 0.4%) Java/1.8.0_71 J 15 ( 0.1%) Java/1.8.0_72 J 85 ( 0.8%) Java/1.8.0_73 J 15 ( 0.1%) Java/1.8.0_74 J 116 ( 1.1%) Java/1.8.0_77 J 248 ( 2.3%) Java/1.8.0_91 J 51 ( 0.5%) Java/1.8.0_92
85.9% compatible:
J 323 ( 2.9%) Java/1.8.0_101 J 62 ( 0.6%) Java/1.8.0_102 J 433 ( 3.9%) Java/1.8.0_111 J 57 ( 0.5%) Java/1.8.0_112 J 922 ( 8.4%) Java/1.8.0_121 J 3613 (32.8%) Java/1.8.0_131 J 3504 (31.9%) Java/1.8.0_141 J 515 ( 4.7%) Java/1.8.0_144
The adoption rate is way too slow. Pushing it to December.
comment:15 by , 7 years ago
| Milestone: | 17.12 → 18.04 |
|---|
Stats update (grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin):
12.3% not compatible:
J 26 ( 0.3%) Java/1.8.0_05 J 6 ( 0.1%) Java/1.8.0_11 J 28 ( 0.3%) Java/1.8.0_20 J 67 ( 0.8%) Java/1.8.0_25 J 87 ( 1.0%) Java/1.8.0_31 J 44 ( 0.5%) Java/1.8.0_40 J 83 ( 0.9%) Java/1.8.0_45 J 43 ( 0.5%) Java/1.8.0_51 J 84 ( 1.0%) Java/1.8.0_60 J 57 ( 0.7%) Java/1.8.0_65 J 71 ( 0.8%) Java/1.8.0_66 J 26 ( 0.3%) Java/1.8.0_71 J 13 ( 0.1%) Java/1.8.0_72 J 65 ( 0.7%) Java/1.8.0_73 J 14 ( 0.2%) Java/1.8.0_74 J 140 ( 1.6%) Java/1.8.0_77 J 189 ( 2.2%) Java/1.8.0_91 J 22 ( 0.3%) Java/1.8.0_92
87.7% compatible:
J 320 ( 3.7%) Java/1.8.0_101 J 47 ( 0.5%) Java/1.8.0_102 J 219 ( 2.5%) Java/1.8.0_111 J 29 ( 0.3%) Java/1.8.0_112 J 481 ( 5.5%) Java/1.8.0_121 J 825 ( 9.4%) Java/1.8.0_131 J 286 ( 3.3%) Java/1.8.0_141 J 1399 (16.0%) Java/1.8.0_144 J 3796 (43.4%) Java/1.8.0_151 J 126 ( 1.4%) Java/1.8.0_152 J 5 ( 0.1%) Java/1.8.0_152-ea J 30 ( 0.3%) Java/9 J 115 ( 1.3%) Java/9.0.1
It's just to compare to previous stats with the same criteria. If we consider now only people having updated JOSM in the past 6 months, numbers become:
grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 12275 -j 8 /dev/stdin
10.7% not compatible:
J 16 ( 0.2%) Java/1.8.0_05 J 4 ( 0.1%) Java/1.8.0_11 J 25 ( 0.3%) Java/1.8.0_20 J 33 ( 0.4%) Java/1.8.0_25 J 73 ( 1.0%) Java/1.8.0_31 J 27 ( 0.4%) Java/1.8.0_40 J 66 ( 0.9%) Java/1.8.0_45 J 40 ( 0.5%) Java/1.8.0_51 J 65 ( 0.9%) Java/1.8.0_60 J 37 ( 0.5%) Java/1.8.0_65 J 54 ( 0.7%) Java/1.8.0_66 J 18 ( 0.2%) Java/1.8.0_71 J 13 ( 0.2%) Java/1.8.0_72 J 54 ( 0.7%) Java/1.8.0_73 J 13 ( 0.2%) Java/1.8.0_74 J 119 ( 1.6%) Java/1.8.0_77 J 126 ( 1.7%) Java/1.8.0_91 J 20 ( 0.3%) Java/1.8.0_92
89.3% compatible:
J 210 ( 2.8%) Java/1.8.0_101 J 35 ( 0.5%) Java/1.8.0_102 J 160 ( 2.1%) Java/1.8.0_111 J 20 ( 0.3%) Java/1.8.0_112 J 286 ( 3.8%) Java/1.8.0_121 J 686 ( 9.1%) Java/1.8.0_131 J 265 ( 3.5%) Java/1.8.0_141 J 1281 (16.9%) Java/1.8.0_144 J 3531 (46.7%) Java/1.8.0_151 J 122 ( 1.6%) Java/1.8.0_152 J 5 ( 0.1%) Java/1.8.0_152-ea J 30 ( 0.4%) Java/9 J 115 ( 1.5%) Java/9.0.1
It's still too high to my taste. Pushing to April.
comment:16 by , 7 years ago
Much better now:
grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 12275 -j 8 /dev/stdin
5.9% not compatible:
Java Main Version --> 8 (3075, 100.0%) J 1 ( 0.0%) Java/1.8.0 J 2 ( 0.1%) Java/1.8.0_11 J 3 ( 0.1%) Java/1.8.0_20 J 9 ( 0.3%) Java/1.8.0_25 J 21 ( 0.6%) Java/1.8.0_31 J 15 ( 0.5%) Java/1.8.0_40 J 16 ( 0.5%) Java/1.8.0_45 J 13 ( 0.4%) Java/1.8.0_51 J 13 ( 0.4%) Java/1.8.0_60 J 7 ( 0.2%) Java/1.8.0_65 J 16 ( 0.5%) Java/1.8.0_66 J 5 ( 0.2%) Java/1.8.0_71 J 11 ( 0.3%) Java/1.8.0_73 J 14 ( 0.4%) Java/1.8.0_74 J 17 ( 0.5%) Java/1.8.0_77 J 21 ( 0.6%) Java/1.8.0_91 J 10 ( 0.3%) Java/1.8.0_92
94.1% compatible:
J 52 ( 1.6%) Java/1.8.0_101 J 13 ( 0.4%) Java/1.8.0_102 J 62 ( 1.9%) Java/1.8.0_111 J 30 ( 0.9%) Java/1.8.0_112 J 105 ( 3.2%) Java/1.8.0_121 J 149 ( 4.6%) Java/1.8.0_131 J 55 ( 1.7%) Java/1.8.0_141 J 193 ( 6.0%) Java/1.8.0_144 J 455 (14.1%) Java/1.8.0_151 J 30 ( 0.9%) Java/1.8.0_152 J 1669 (51.5%) Java/1.8.0_161 J 67 ( 2.1%) Java/1.8.0_162 J 1 ( 0.0%) Java/1.8.0_172-ea J 6 ( 0.2%) Java/9 J 38 ( 1.2%) Java/9.0.1 J 117 ( 3.6%) Java/9.0.4
Did you check for all or only for Windows users?