From f884861373af0ba1d331b6dc3ffae8f46006bf23 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 26 Feb 2026 15:48:35 +0100
Subject: [PATCH] skip fallback if failing to load

---
 .../SSLContextWithWindowsCertStore.java       | 24 ++++++++++++++-----
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java
index 1db06e5b1..5a179e56e 100644
--- a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java
+++ b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java
@@ -1,10 +1,12 @@
 package org.cryptomator.networking;
 
+import org.cryptomator.common.Nullable;
 import org.cryptomator.integrations.common.OperatingSystem;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.nio.file.Files;
-import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@@ -21,12 +23,17 @@ import java.util.List;
 @OperatingSystem(OperatingSystem.Value.WINDOWS)
 public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 
-	private static final String DEFAULT_TRUSTSTORE_PASSWORD = "";
+	private static final Logger LOG = LoggerFactory.getLogger(SSLContextWithWindowsCertStore.class);
+	private static final String DEFAULT_TRUSTSTORE_PASSWORD = "changeit"; //default JDK cacerts password
 
 	@Override
 	KeyStore getTruststore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
 		var windowsKeyStore = KeyStore.getInstance("WINDOWS-ROOT");
 		var jdkKeyStore = getShippedCaCertsStore();
+		if (jdkKeyStore == null) {
+			return windowsKeyStore;
+		}
+
 		ensureLoaded(windowsKeyStore);
 		ensureLoaded(jdkKeyStore);
 		try {
@@ -38,15 +45,20 @@ public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStor
 		}
 	}
 
-	KeyStore getShippedCaCertsStore() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
+	@Nullable
+	KeyStore getShippedCaCertsStore() {
 		var javaHome = Path.of(System.getProperty("java.home"));
 		var trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray();
 		for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) {
-			if (Files.isRegularFile(candidate)) {
-				return KeyStore.getInstance(candidate.toFile(), trustStorePassword);
+			try {
+				if (Files.isRegularFile(candidate)) {
+					return KeyStore.getInstance(candidate.toFile(), trustStorePassword);
+				}
+			} catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
+				LOG.info("Unable to load fallback cacerts {} file. Skipping fallback.", candidate, e);
 			}
 		}
-		throw new NoSuchFileException("Could not locate cacerts below java.home: " + javaHome);
+		return null;
 	}
 
 }