[
https://issues.apache.org/jira/browse/MJAVADOC-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16581289#comment-16581289
]
Chris Povirk commented on MJAVADOC-507:
---------------------------------------
I don't see it now, either (also with 1.8u151). Probably either the newer JDK
has updates to its certificates data, or the web site has changed certificates.
I would still argue that it would be nice for Maven to stop trying to
pre-validate package-info files, since future certificate changes could break
it again, but I don't know of any sites with current problems.
> -linkoffline rejects valid package-list files because of SSL problems
> ---------------------------------------------------------------------
>
> Key: MJAVADOC-507
> URL: https://issues.apache.org/jira/browse/MJAVADOC-507
> Project: Maven Javadoc Plugin
> Issue Type: Bug
> Components: javadoc
> Affects Versions: 3.0.0
> Environment: Java 8
> Reporter: Chris Povirk
> Priority: Minor
> Attachments: MJAVADOC-507.zip
>
>
> For weird reasons, we're trying to use <offlineLinks> rather than <links> for
> some of our links. Our configuration includes:
> {code:xml} <offlineLink>
> <url>https://checkerframework.org/api</url>
> <location>https://checkerframework.org/api</location>
> </offlineLink>{code}
> If I run javadoc with -linkoffline set to this URL and location, I get links
> in the resulting docs. However, if I run maven-javadoc-plugin, I get an error:
> {noformat}[ERROR] Error fetching link:
> https://checkerframework.org/api/package-list. Ignored it.{noformat}
> Since javadoc can load the package-list fine and so can my browser, there
> seems to be something wrong in maven-javadoc-plugin. To debug, I built my own
> maven-javadoc-plugin, modified to display the full error that caused the
> failure. It showed this:
> {noformat}javax.net.ssl.SSLException: Certificate for <checkerframework.org>
> doesn't match any of the subject alternative names: [*.cs.washington.edu]
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165)
> at
> org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141)
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
> at
> org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
> at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> at
> org.apache.maven.plugins.javadoc.JavadocUtil.isValidPackageList(JavadocUtil.java:1666){noformat}
> Now, I *don't* see this error if I run with Java 9. This suggests to me that
> each copy of Java has its own certificate list/logic. That means that the
> problem isn't in maven-javadoc-plugin per se.
> However, it seems inevitable that the built-in Java list will go out of date
> again, and maven-javadoc-plugin will fail again for some other site.
> One solution would be for maven-javadoc-plugin to do whatever it is that
> Javadoc itself does to recognize more certificates. However, this sounds
> complicated.
> The simple solution would be for maven-javadoc-plugin to stop pre-validating
> package-list files altogether (since Javadoc will ignore them if they're
> truly missing). But, if you want to keep the validation, then I'd suggest
> passing all URLs to Javadoc, even the ones that fail validation. That way,
> users still get a loud, red/yellow Maven error/warning for real problems, but
> false problems like the one here don't keep Javadoc links from working.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
