On 11.6, we could set up the Network proxy for our corporate HTTPS proxy which uses untrusted certificates. We added our proxy's untrusted certificates to the jre key store associated with the IDE.
On 11.7, something about the Network proxy setup is changed and broken. The approach above no longer works.
I observe that the JRE version used by 1.7 is newer than that used by 1.6. Can you please confirm that the default certificate key store is still that associated with the JRE within the Xpresso install dir.
I work for Thales in the UK, this issue will afflict all users of your tools within Thales UK so is worthy of your attention.
As part of your ready for release testing, you should test your software using an HTTP Proxy with untrusted certificates. You need to check the ability to run the Pins, Clock Tools etc, Check for Updates and access the Eclipse Market Place - in short, every feature of your tool that does internet access.
The typical error log entries are as below, for a contact with Eclipse Market Place, we get the same for NXP end points.
!ENTRY org.eclipse.equinox.p2.transport.ecf 2 0 2023-01-31 08:17:21.195
!MESSAGE Connection to https://mcuxpresso.nxp.com/eclipse/sdk/p2.index failed on PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Retry attempt 0 started
!STACK 0
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
已解决! 转到解答。
Hi,
the JRE is configured to use (on Windows only) the Windows CA store, see
<MCUXpressoIDE>\ide\mcuxpressoide.ini
and the last line:
-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
This typically solves the issue that on the Windows there's added some CA that is not trusted by Java. If removing this line will help, I cannot swear, but you might try.
Regards,
Libor
Hi,
the JRE is configured to use (on Windows only) the Windows CA store, see
<MCUXpressoIDE>\ide\mcuxpressoide.ini
and the last line:
-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
This typically solves the issue that on the Windows there's added some CA that is not trusted by Java. If removing this line will help, I cannot swear, but you might try.
Regards,
Libor
Hi billchadwick
I tried to connect Eclipse Market Place via MCUXpresso IDE v11.7 menu, Eclipse Market Place can be well connected.
Could you please specify the steps of how to reproduce your issue?
Thanks,
Jun Zhang
Is JRE's job to validate certificates... If your company's proxy injects untrusted certificates in a certificates chain, then you should probably add the needed certificates in the JRE's keystore.
Regards,
MCUXpresso IDE Support