Technic Launcher does not support LetsEncrypt or StartSSL on Oracle Java installations

[sjennison]

While the root of this problem lies with Oracle, I believe Technic Launcher could handle the issue better.
As it currently stands, using a site with an SSL certificate signed by LetsEncrypt or StartSSL to host your modpack.zip is impossible without allowing non-SSL connections. While that is an option, it is a recommended configuration to enable full SSL on the entire site, and it can be a pain to remove SSL for a single file.

This is a difficult problem to solve, but I can see several solutions.

• build some kind of custom cert chain and add commonly known "good" CAs - StartSSL and LetsEncrypt, for example, in to the "approved" CA list.
• Have a prompt of some kind, indicating the issue to the user. If we allow the user to continue, that's probably a little dangerous, given that it would be easy to break the chain of trust by telling someone to click "Continue". But this would solve the problem without having the burden of maintaining a list of "good" CAs like in option 1. Even if we don't add a "Continue" option, this could be useful to people creating modpacks, as they would have a much more clear error message than "something went wrong".
• Ignore SSL certificates when downloading. This is a very bad idea from a security perspective, but it would work to prevent this issue. Probably not a good idea to do though.......

[BlauerHunger]

I just had this problem, too. I worked around it by creating a new subdomain with a CNAME-Record pointing to the original domain and adding a virtual http host which doesn't redirect to https. It looks like techniclauncher doesn't understand HSTS, otherwise it would have redirected the request by itself. .

In my opinion it's reckless to distribute software (like modpacks) without strong authentication such as TLS.