Modify

Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#14652 closed enhancement (fixed)

Remove Let's Encrypt certificate

Reported by: Don-vip Owned by: team
Priority: normal Milestone: 18.04
Component: Core Version:
Keywords: certificate lets encrypt root ca Cc:

Description

We added DST_Root_CA_X3 CA (see #12264) in March 2016 because this CA was massively adopted on the web but Java was lagging behind everyone.

Java does support Let's Encrypt now, since 8u101 released in July 2016.

Looking at usage statistics, 82.5% of our users use a compatible version (as of April 2017):

J        649 ( 5.7%) Java/1.8.0_101
J        120 ( 1.1%) Java/1.8.0_102
J       1124 ( 9.9%) Java/1.8.0_111
J        103 ( 0.9%) Java/1.8.0_112
J       7366 (64.9%) Java/1.8.0_121

And 17% do not:

J          9 ( 0.1%) Java/1.8.0
J         17 ( 0.1%) Java/1.8.0_05
J          9 ( 0.1%) Java/1.8.0_11
J         22 ( 0.2%) Java/1.8.0_20
J        122 ( 1.1%) Java/1.8.0_25
J        144 ( 1.3%) Java/1.8.0_31
J         56 ( 0.5%) Java/1.8.0_40
J        126 ( 1.1%) Java/1.8.0_45
J         81 ( 0.7%) Java/1.8.0_51
J        129 ( 1.1%) Java/1.8.0_60
J         96 ( 0.8%) Java/1.8.0_65
J        246 ( 2.2%) Java/1.8.0_66
J         52 ( 0.5%) Java/1.8.0_71
J          6 ( 0.1%) Java/1.8.0_72
J         97 ( 0.9%) Java/1.8.0_73
J         41 ( 0.4%) Java/1.8.0_74
J        141 ( 1.2%) Java/1.8.0_77
J        461 ( 4.1%) Java/1.8.0_91
J         62 ( 0.5%) Java/1.8.0_92

We should remove it when the percentage of impacted users drops to a very small number (<5% ?).

Attachments (0)

Change History (19)

comment:1 by stoecker, 7 years ago

Did you check for all or only for Windows users?

comment:2 by Don-vip, 7 years ago

Type: defectenhancement

comment:3 by Don-vip, 7 years ago

I just checked the version, so all users. Indeed it does only affect Windows and Mac users, so the real percentage is a bit lower than 17%. Do we have a command line option to filter by OS?

comment:4 by stoecker, 7 years ago

Yes: grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin

Last edited 7 years ago by Don-vip (previous) (diff)

comment:5 by Don-vip, 7 years ago

OK so this gives 20.3% of Windows/Mac users not compatible:

J         15 ( 0.2%) Java/1.8.0_05
J          7 ( 0.1%) Java/1.8.0_11
J         21 ( 0.2%) Java/1.8.0_20
J        116 ( 1.3%) Java/1.8.0_25
J        146 ( 1.7%) Java/1.8.0_31
J         54 ( 0.6%) Java/1.8.0_40
J        125 ( 1.4%) Java/1.8.0_45
J         77 ( 0.9%) Java/1.8.0_51
J        125 ( 1.4%) Java/1.8.0_60
J         94 ( 1.1%) Java/1.8.0_65
J        239 ( 2.8%) Java/1.8.0_66
J         49 ( 0.6%) Java/1.8.0_71
J         91 ( 1.1%) Java/1.8.0_73
J         38 ( 0.4%) Java/1.8.0_74
J        103 ( 1.2%) Java/1.8.0_77
J        399 ( 4.6%) Java/1.8.0_91
J         57 ( 0.7%) Java/1.8.0_92

and 79.5% compatible:

J        604 ( 7.0%) Java/1.8.0_101
J        103 ( 1.2%) Java/1.8.0_102
J        913 (10.5%) Java/1.8.0_111
J         88 ( 1.0%) Java/1.8.0_112
J       5179 (59.8%) Java/1.8.0_121

100% of Linux users are compatible :)

comment:6 by bastiK, 7 years ago

What are currently the sites that use Let's encrypt? I.e. how noticeable will it be for those users if we drop the certificate?

comment:7 by stoecker, 7 years ago

From our Maps? Maybe nearly none? Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

in reply to:  7 ; comment:8 by bastiK, 7 years ago

Replying to stoecker:

From our Maps?

Any URL a user might want to load from JOSM.

Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.

If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)

in reply to:  8 ; comment:9 by stoecker, 7 years ago

Replying to bastiK:

Replying to stoecker:

From our Maps?

Any URL a user might want to load from JOSM.

Well, overpass-api.de

Anyway I think offering the chance to use a free certificate is worth the effort we do. I don't want to have large barriers for TLS usage and DANE for https is way into the future.

Sure, but the circumstances have changed as Let's Encrypt certificate is now shipped with Java 8u101 and later. There is a value in getting rid of our custom certificate patches.

If Let's Encrypt isn't used really at the moment, then by the time it gets adopted by a heavily frequented server (say openstreetmap.org or overpass-api.de) almost everyone will have updated their Java version. (If not, we can ask them to do so.)

As there is no real reason to remove it from out code except a feeling of "keeping code clean" there is no need to hurry in any way. We'll reevaluate in August and if not reasonable then in December and so on. Having it added does no harm, as it follows the guidelines of other software and even Java. We did not make our own rules.

in reply to:  9 comment:10 by bastiK, 7 years ago

Replying to stoecker:

Replying to bastiK:

Any URL a user might want to load from JOSM.

Well, overpass-api.de

Okay, then we have a good reason to keep it in for now.

comment:11 by Don-vip, 7 years ago

In 12219/josm:

see #14652 - ask Windows/macOS users to update their version of Java when it expires (i.e when the built-in JRE expiration date is passed, about 4 months after release, 1 month after Java should have asked to update by itself). It currently proposes to update all versions of Java 8 up to update 121, released on January 17, 2017, as its expiration date is May 18, 2017.

comment:12 by Don-vip, 7 years ago

Stats update:

16.9% not compatible:

J          6 ( 0.1%) Java/1.8.0
J          9 ( 0.2%) Java/1.8.0_05
J         15 ( 0.3%) Java/1.8.0_11
J          7 ( 0.1%) Java/1.8.0_20
J          1 ( 0.0%) Java/1.8.0_20-ea
J         95 ( 2.0%) Java/1.8.0_25
J         86 ( 1.8%) Java/1.8.0_31
J         41 ( 0.9%) Java/1.8.0_40
J         52 ( 1.1%) Java/1.8.0_45
J         31 ( 0.7%) Java/1.8.0_51
J         43 ( 0.9%) Java/1.8.0_60
J         37 ( 0.8%) Java/1.8.0_65
J         77 ( 1.6%) Java/1.8.0_66
J         24 ( 0.5%) Java/1.8.0_71
J          5 ( 0.1%) Java/1.8.0_72
J         43 ( 0.9%) Java/1.8.0_73
J         19 ( 0.4%) Java/1.8.0_74
J         48 ( 1.0%) Java/1.8.0_77
J        139 ( 2.9%) Java/1.8.0_91
J          9 ( 0.2%) Java/1.8.0_92

83.1% compatible:

J        221 ( 4.7%) Java/1.8.0_101
J         46 ( 1.0%) Java/1.8.0_102
J        322 ( 6.8%) Java/1.8.0_111
J         39 ( 0.8%) Java/1.8.0_112
J        860 (18.2%) Java/1.8.0_121
J       2438 (51.6%) Java/1.8.0_131

It should speed up this month thanks to r12219 suggesting people to update their old versions of Java.

comment:13 by Don-vip, 7 years ago

JDK 8u141 has added new Let's Encrypt root CA:

ISRG Root X1 
alias: letsencryptisrgx1 
DN: CN=ISRG Root X1, O=Internet Security Research Group, C=US

comment:14 by Don-vip, 7 years ago

Milestone: 17.0817.12

Stats update (grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin):

14.1% not compatible:

J         11 ( 0.1%) Java/1.8.0_05
J          7 ( 0.1%) Java/1.8.0_11
J         38 ( 0.3%) Java/1.8.0_20
J        125 ( 1.1%) Java/1.8.0_25
J        144 ( 1.3%) Java/1.8.0_31
J         44 ( 0.4%) Java/1.8.0_40
J        153 ( 1.4%) Java/1.8.0_45
J         56 ( 0.5%) Java/1.8.0_51
J        119 ( 1.1%) Java/1.8.0_60
J         94 ( 0.9%) Java/1.8.0_65
J        179 ( 1.6%) Java/1.8.0_66
J         45 ( 0.4%) Java/1.8.0_71
J         15 ( 0.1%) Java/1.8.0_72
J         85 ( 0.8%) Java/1.8.0_73
J         15 ( 0.1%) Java/1.8.0_74
J        116 ( 1.1%) Java/1.8.0_77
J        248 ( 2.3%) Java/1.8.0_91
J         51 ( 0.5%) Java/1.8.0_92

85.9% compatible:

J        323 ( 2.9%) Java/1.8.0_101
J         62 ( 0.6%) Java/1.8.0_102
J        433 ( 3.9%) Java/1.8.0_111
J         57 ( 0.5%) Java/1.8.0_112
J        922 ( 8.4%) Java/1.8.0_121
J       3613 (32.8%) Java/1.8.0_131
J       3504 (31.9%) Java/1.8.0_141
J        515 ( 4.7%) Java/1.8.0_144

The adoption rate is way too slow. Pushing it to December.

comment:15 by Don-vip, 6 years ago

Milestone: 17.1218.04

Stats update (grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 9995 -j 8 /dev/stdin):

12.3% not compatible:

J         26 ( 0.3%) Java/1.8.0_05
J          6 ( 0.1%) Java/1.8.0_11
J         28 ( 0.3%) Java/1.8.0_20
J         67 ( 0.8%) Java/1.8.0_25
J         87 ( 1.0%) Java/1.8.0_31
J         44 ( 0.5%) Java/1.8.0_40
J         83 ( 0.9%) Java/1.8.0_45
J         43 ( 0.5%) Java/1.8.0_51
J         84 ( 1.0%) Java/1.8.0_60
J         57 ( 0.7%) Java/1.8.0_65
J         71 ( 0.8%) Java/1.8.0_66
J         26 ( 0.3%) Java/1.8.0_71
J         13 ( 0.1%) Java/1.8.0_72
J         65 ( 0.7%) Java/1.8.0_73
J         14 ( 0.2%) Java/1.8.0_74
J        140 ( 1.6%) Java/1.8.0_77
J        189 ( 2.2%) Java/1.8.0_91
J         22 ( 0.3%) Java/1.8.0_92

87.7% compatible:

J        320 ( 3.7%) Java/1.8.0_101
J         47 ( 0.5%) Java/1.8.0_102
J        219 ( 2.5%) Java/1.8.0_111
J         29 ( 0.3%) Java/1.8.0_112
J        481 ( 5.5%) Java/1.8.0_121
J        825 ( 9.4%) Java/1.8.0_131
J        286 ( 3.3%) Java/1.8.0_141
J       1399 (16.0%) Java/1.8.0_144
J       3796 (43.4%) Java/1.8.0_151
J        126 ( 1.4%) Java/1.8.0_152
J          5 ( 0.1%) Java/1.8.0_152-ea
J         30 ( 0.3%) Java/9
J        115 ( 1.3%) Java/9.0.1

It's just to compare to previous stats with the same criteria. If we consider now only people having updated JOSM in the past 6 months, numbers become:

grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 12275 -j 8 /dev/stdin

10.7% not compatible:

J         16 ( 0.2%) Java/1.8.0_05
J          4 ( 0.1%) Java/1.8.0_11
J         25 ( 0.3%) Java/1.8.0_20
J         33 ( 0.4%) Java/1.8.0_25
J         73 ( 1.0%) Java/1.8.0_31
J         27 ( 0.4%) Java/1.8.0_40
J         66 ( 0.9%) Java/1.8.0_45
J         40 ( 0.5%) Java/1.8.0_51
J         65 ( 0.9%) Java/1.8.0_60
J         37 ( 0.5%) Java/1.8.0_65
J         54 ( 0.7%) Java/1.8.0_66
J         18 ( 0.2%) Java/1.8.0_71
J         13 ( 0.2%) Java/1.8.0_72
J         54 ( 0.7%) Java/1.8.0_73
J         13 ( 0.2%) Java/1.8.0_74
J        119 ( 1.6%) Java/1.8.0_77
J        126 ( 1.7%) Java/1.8.0_91
J         20 ( 0.3%) Java/1.8.0_92

89.3% compatible:

J        210 ( 2.8%) Java/1.8.0_101
J         35 ( 0.5%) Java/1.8.0_102
J        160 ( 2.1%) Java/1.8.0_111
J         20 ( 0.3%) Java/1.8.0_112
J        286 ( 3.8%) Java/1.8.0_121
J        686 ( 9.1%) Java/1.8.0_131
J        265 ( 3.5%) Java/1.8.0_141
J       1281 (16.9%) Java/1.8.0_144
J       3531 (46.7%) Java/1.8.0_151
J        122 ( 1.6%) Java/1.8.0_152
J          5 ( 0.1%) Java/1.8.0_152-ea
J         30 ( 0.4%) Java/9
J        115 ( 1.5%) Java/9.0.1

It's still too high to my taste. Pushing to April.

comment:16 by Don-vip, 6 years ago

Much better now:
grep "\(Mac\|Windows\).*Java" /home/josm/trac/log/trac.log |./checkjosm -F 12275 -j 8 /dev/stdin

5.9% not compatible:

Java Main Version --> 8 (3075, 100.0%)
J          1 ( 0.0%) Java/1.8.0
J          2 ( 0.1%) Java/1.8.0_11
J          3 ( 0.1%) Java/1.8.0_20
J          9 ( 0.3%) Java/1.8.0_25
J         21 ( 0.6%) Java/1.8.0_31
J         15 ( 0.5%) Java/1.8.0_40
J         16 ( 0.5%) Java/1.8.0_45
J         13 ( 0.4%) Java/1.8.0_51
J         13 ( 0.4%) Java/1.8.0_60
J          7 ( 0.2%) Java/1.8.0_65
J         16 ( 0.5%) Java/1.8.0_66
J          5 ( 0.2%) Java/1.8.0_71
J         11 ( 0.3%) Java/1.8.0_73
J         14 ( 0.4%) Java/1.8.0_74
J         17 ( 0.5%) Java/1.8.0_77
J         21 ( 0.6%) Java/1.8.0_91
J         10 ( 0.3%) Java/1.8.0_92

94.1% compatible:

J         52 ( 1.6%) Java/1.8.0_101
J         13 ( 0.4%) Java/1.8.0_102
J         62 ( 1.9%) Java/1.8.0_111
J         30 ( 0.9%) Java/1.8.0_112
J        105 ( 3.2%) Java/1.8.0_121
J        149 ( 4.6%) Java/1.8.0_131
J         55 ( 1.7%) Java/1.8.0_141
J        193 ( 6.0%) Java/1.8.0_144
J        455 (14.1%) Java/1.8.0_151
J         30 ( 0.9%) Java/1.8.0_152
J       1669 (51.5%) Java/1.8.0_161
J         67 ( 2.1%) Java/1.8.0_162
J          1 ( 0.0%) Java/1.8.0_172-ea
J          6 ( 0.2%) Java/9
J         38 ( 1.2%) Java/9.0.1
J        117 ( 3.6%) Java/9.0.4
Last edited 6 years ago by Don-vip (previous) (diff)

comment:17 by Don-vip, 6 years ago

Resolution: fixed
Status: newclosed

In 13604/josm:

fix #14652 - Remove DST_Root_CA_X3 certificate needed for Let's Encrypt (included two years ago in JDK 8u101)

comment:18 by Don-vip, 6 years ago

In 13605/josm:

fix #14652 - Remove DST_Root_CA_X3 certificate needed for Let's Encrypt (included two years ago in JDK 8u101)

comment:19 by Don-vip, 6 years ago

In 13701/josm:

fix #15851, see #14652 - load DST Root CA X3 from native keystore when not found in JDK

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.