SSLSocket created with expired certificates

The tests documented here were performed using Sun JSSE 1.0.2.
Server
I have installed TOMCAT and configured it for SSL by following the instructions detailed in the following link:
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ssl-howto.html
NB: The system date was set back by more than three months to ensure that the certificate contained in the store is now expired.
Client
I have created a simple java client test program that attempts to create an SSLSocket connecting to the TOMCAT SSL port.
The code is listed below:
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("127.0.0.1", 8443);
System.out.println("Establishing SSL socket connection");
* register a callback for handshaking completion event
socket.addHandshakeCompletedListener(
new HandshakeCompletedListener() {
public void handshakeCompleted(HandshakeCompletedEvent event) {
     System.out.println("Handshake finished!");
     System.out.println("\t CipherSuite:" + event.getCipherSuite());
     System.out.println("\t SessionId " + event.getSession());
     System.out.println("\t PeerHost " + event.getSession().getPeerHost());
socket.startHandshake();
socket.close();
System.out.println("Established SSL socket connection");
Tests
The test program was run as follows (NB: With the system date set correctly to the current date):
Test 1
With no parameters passed.
Result: This produces an untrusted server cert chain error. This happens because the truststore information has not been supplied. This result is as expected.
Test 2
With the following parameters:
-Djavax.net.debug=ssl:keymanager
-Djavax.net.ssl.trustStore= set to the location of a truststore file containing the same EXPIRED server certificate mentioned above
Result: This does not produce any errors and the socket is created successfully and the handshake completes successfully. As the truststore at the client (i.e. the java test program) and the keystore at the server (i.e. SSL enabled TOMCAT) both contain the same EXPIRED certificate it was expected this would result in a failure to create the SSLSocket. The debug trace that is output does indeed show that the certificate has expired yet somehow the connection is still being made.
It should be noted that test 2 has been run on numerous occasions in the past and has previously given the expected result. That is to say, a failure to create the SSLSocket with an error message stating that the certificate had expired. Nothing appears to have changed in the environment in which these tests are being run that should cause them to start to fail now.
Has anyone seen this strange behaviour before?

There are fellow sufferers...
http://forum.java.sun.com/thread.jspa?threadID=560690&tstart=0
I too noticed this.
I've a simple 20 line SSL server and SSL client and can reproduce this behaviour.
ie. trying with an good cert, it exchanges data, with a bad cert, I get an exception, and with
an expired cert, it exchanges data when I expect this last one to fail.
I dont know what the solution is but if I were to hazard a guess, I'd say maybe I need
to subclass the TrustManager? or maybe set some policy somewhere.
In the meantime, I've just invalidated it manually.
ie. on startup or whenever appropriate, I do the following...
KeyStore keystore = null;
// Load the keystore in the user's home directory
FileInputStream is = new FileInputStream(filename);
keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(is, password.toCharArray());
is.close();
for (Enumeration ea = keystore.aliases(); ea.hasMoreElements();) {
String alias = (String) ea.nextElement();
// Get certificate
java.security.cert.X509Certificate cert =
(java.security.cert.X509Certificate) keystore.getCertificate(alias);
try {
cert.checkValidity();
} catch (java.security.cert.CertificateException e) {
System.out.println( "Invalid Certificate for " + alias );
keystore.deleteEntry(alias);
ie. I remove the offending cert from the truststore...
This is a stop-gap measure till I figure out what to do instead.
Hope this helps...
Chai

Similar Messages

  • URGENT!! ERROR WITH EXPIRED CERTIFICATE USING JDK 1.4.2.05

    Hi,
    I have created a client/server application with SSL and have found the following problem.
    I have made these two tests:
    1) jdk 1.4.2.03 --> the certificate is expired, I obtain this exception "No trusted certificate found". it's ok
    2) jdk 1.4.2.06 --> the certificate is expired, no error occurs. WHY?????
    Someone can help me?
    Gianna

    The problem is not the expired certificate! I know that it is expired, but I don't understand why using jdk 1.4.2.05 this certificate is not recognize invalid.
    With this jdk the channel is created. Using jdk 1.4.2.03 instead the certificate was recognized expired and the channel is not created between client and server.
    For me the correct behavior has with the old version of the JDK and not the new.
    WHY?????

  • Adobe open encrypted PDF with expired certificate

    Hi,
    I encrypt and sign documents with certificates. To do this I use a script and the little program "jsignpdf". The certificates are stored in windows certificate store on the client.This works fine!
    The problem is that Adobe Reader (10/11) open the encrypted PDF also when the certificate is expired. I don't find any option to change that.
    Has anbody an idea to solve my problem?
    The clients have windows vista and Adobe Reader 10. But  Adobe Reader11 have the same problem.
    Thanks
    Steven

    If you are signing with Acrobat, you have the choice of whether to include revocation information. See Establish long-term signature validation in http://helpx.adobe.com/acrobat/using/validating-digital-signatures.html.

  • Timestamped document with expired certificate - not validating

    Hi,
    I have a document that was timestamped and certified on 2010/11/23 15:32:16 -03'00'. The timestamp certificate is still valid, but the certifier's certificate expired on 2010/12/11 07:00:00 -03'00'.
    The Reader can't validate this certificate, eventhough the Security configuration says that it should use the "secure time" and accept expired timestamps.
    In "Signature Properties" it says:
    The signer's identity is unknown because it has expired or is not yet valid.
    In "Certificate Viewer" it says:
    The selected certificate has errors: Not time valid
    Shouldn't the validation use the timestamp as a source for time validation?
    Thanks!!
    -RCT.

    Hi Melvin,
    First check to see if the certificate is in the store
    PowerShell: Get-ChildItem cert:\LocalMachine\My\ to list the certs in the store
    Screenshot from my desktop
    Cheers,
    -Ivan
    -Ivan

  • Problem with revocked/expiring certificate

    certificate has been revocked 15 days before the expiration (do not know the reason)
    now i can not install any more the app to one of my devices and thats understandable
    but what it is not clear to me is what is going to happen to all the ipads where my app (with revocked/expiring certificate) is installed. .. can my users still open the app with the revocked/expiring certificate?
    thanks

    This cert was already installed was the message I received when I tried. It might be that there is a default list of certs that are added when Firefox is installed.
    This will tell you what version that it was added by default:
    [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/] via [https://docs.google.com/a/mozilla.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&single=true&gid=1&output=html]

  • How do you link a ssl certificate to your website created with adobe muse?

    I would like to know how you can link a ssl certificate to a website created with Muse especially when you have created an ecormmerce website.

    In Business Catalyst as well, SSL certificates cannot be added separately.
    However (if you are looking to create payment mode secure), the payment pages in Business Catalyst already uses secure URL for the payment and you do not require a SSL certificate for them.
    Hope this helps.
    Regards,
    Sachin

  • Clients connect to wifi with certificate that expires every month - correct way to handle expired certificates?

    Hi all
    I'm sorry if this is the wrong forum to ask this question. Also my knowledge in this area is somewhat limited, which I why I need your help :-)
    We use wireless networks primarily in my company for all our clients and use a certificate to authenticate to the network. This certificate expires after 1 month and we automatically renew them 1 week before expiry. Relatively often we have users that
    are not connected to the network for a few weeks or more and then the certificate expires before being renewed. Then we have to connect them to the wired network to get the certificate updated, so they can connect to the wireless network again.
    What is the correct approach to solve this issue? We feel extending the life of the certificate would be a too big security compromise. Is there some way you could automatically allow an expired certificate briefly with the sole purpose of renewing the certificate?
    Or how would you normally resolve this issue?
    Thanks for any help/knowledge you can provide :-)

    > Setting the validity period that high, means that the certificate could be cracked before expiry.
    then you should be scary of CAs which validity is 10 or more years. And they use the same cryptography as end-entity certificates (key length and signature algorithms). It is a paranoya. Just make sure if client certificates use at least 2048 bit long
    keys and use SHA1 (or better) signature algorithm. In this case there is a little chance that certificate will be successfully cracked in 2 years.
    If there is an evidence (or indications) of client private key compromise -- immediately revoke the certificate and publish new CRL ASAP. You cannot protect clients from key compromise by using short-living certificates, because key compromise is ususally
    achieved by gaining a control over the private key (malware on client computer). Therefore, there is nothing wrong in issuing client certificates with 1 or 2 year validity.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Certificate always created with 90 day validity!

    Hi,
    I switched to using J2SDK 1.4.2.03 and now whenever I create a certificate it is created with a 90 day validity regardless of what I provide for the "validity" option. I'm fairly certain the previous version I was using did not have this problem. Here are the commands as executed (I changed the password and removed paths to cacerts).
    keytool -delete -v -keystore cacerts -storepass password -alias gateway
    keytool -genkey -v -keyalg RSA -keysize 512 -keystore cacerts -storepass password -alias gateway -validity 5
    keytool -selfcert -v -keystore cacerts -storepass password -alias gateway
    I tried various values of validity above and below 90 but it always comes out as 90. If anyone can suggest a solution to this I would appreciate it!
    Dominique

    Very strange. I had no problem using 1.4.2_03. Can you show us the:
    keytool -list -v -keystore cacerts
    output that shows a validity period going in reverse? Your system clock date didn't change, did it? Never seen that before. I got:
    % keytool -selfcert -v -keystore cacerts -storepass password -alias gateway -validity 1821
    New certificate (self-signed):
    Version: V1
    Subject: CN=Joe, OU=Java, O=Sun, L=SCA, ST=CA, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: SunJSSE RSA public key:
    ...deleted...
    Validity: [From: Thu Jun 10 09:33:05 PDT 2004,
                   To: Fri Jun 05 09:33:05 PDT 2009]
    Issuer: CN=Joe, OU=Java, O=Sun, L=SCA, ST=CA, C=US
    SerialNumber: [    40c88d41]
    ...deleted...
    BTW, -genkey generates a self-signed cert, you don't need to go through the extra -selfcert
    step unless you want to replace the current self-cert in the keystore.
    In the third example (-selfcert), it will default back to 90 days if you don't specify the validity period.

  • While creating with holding tax certificate

    dear all while printing with holding certificate getting error     No data selected for printing 
    please guide me how to solve this error
    Regards
    Babu.k

    It could be anything...Check your configuration step by step and throughly......In the last ask your ABAP consultant to debug the print program so as to know the cause of error
    Refer:
    WHT Certificate Print
    withholding tax certificate printing

  • Expired Certificate with theme of E71

    Hi,
    I Just used new Nokia E71.
    However when install Theme for my phone, it always failed.
    It showed on screen "Expired Certificate"
    Pls kindly help to solve this problem
    R.gds
    Duyben
    R.gds
    DuyBen

    try backdating the phone - meaning change the date on ur phone to say 1 year back - this can be done in ur clock settings
    eg: 24/2/2008 then try installing it
    otherwise u might need to contact the person u downloaded the theme from to get an updated installation file/certificate
    if my post helped u out, please click the Star next to it to add some KUDOS to my name

  • How do we create self-signed certificate using java packages

    Hi All,
    I require some information on creating self-signed certificate using java packages.
    The java.security.cert.* package allows you to read Certificates from an existing store or a file etc. but there is no way to generate one afresh. See CertificateFactory and Certificate classes. Even after loading a certificate you cannot regenerate some of its fields to embed the new public key – and hence regenerate the fingerprints etc. – and mention a new DN. Essentially, I see no way from java to self-sign a certificate that embeds a public key that I have already generated.
    I want to do the equivalent of ‘keytool –selfcert’ from java code. Please note that I am not trying to do this by using the keytool command line option – it is always a bad choice to execute external process from the java code – but if no other ways are found then I have to fall back on it.
    Regards,
    Chandra

    I require some information on creating self-signed certificate using java packages. Its not possible because JCE/JCA doesn't have implementation of X509Certificate. For that you have to use any other JCE Provider e.g. BouncyCastle, IAIK, Assembla and etc.
    I'm giving you sample code for producing self-signed certificate using IAIK JCE. Note that IAIK JCE is not free. But you can use BouncyCastle its open source and free.
    **Generating and Initialising the Public and Private Keys*/
      public KeyPair generateKeys() throws Exception
          //1 - Key Pair Generated [Public and Private Key]
          m_objkeypairgen = KeyPairGenerator.getInstance("RSA");
          m_objkeypair = m_objkeypairgen.generateKeyPair();
          System.out.println("Key Pair Generated....");
          //Returns Both Keys [Public and Private]*/
          return m_objkeypair;
    /**Generating and Initialising the Self Signed Certificate*/
      public X509Certificate generateSSCert() throws Exception
        //Creates Instance of X509 Certificate
        m_objX509 = new X509Certificate();
        //Creatting Calender Instance
        GregorianCalendar obj_date = new GregorianCalendar();
        Name obj_issuer = new Name();
        obj_issuer.addRDN(ObjectID.country, "CountryName");
        obj_issuer.addRDN(ObjectID.organization ,"CompanyName");
        obj_issuer.addRDN(ObjectID.organizationalUnit ,"Deptt");
        obj_issuer.addRDN(ObjectID.commonName ,"Valid CA Name");
        //Self Signed Certificate
        m_objX509.setIssuerDN(obj_issuer); // Sets Issuer Info:
        m_objX509.setSubjectDN(obj_issuer); // Sets Subjects Info:
        m_objX509.setSerialNumber(BigInteger.valueOf(0x1234L));
        m_objX509.setPublicKey(m_objkeypair.getPublic());// Sets Public Key
        m_objX509.setValidNotBefore(obj_date.getTime()); //Sets Starting Date
        obj_date.add(Calendar.MONTH, 6); //Extending the Date [Cert Validation Period (6-Months)]
        m_objX509.setValidNotAfter(obj_date.getTime()); //Sets Ending Date [Expiration Date]
        //Signing Certificate With SHA-1 and RSA
        m_objX509.sign(AlgorithmID.sha1WithRSAEncryption, m_objkeypair.getPrivate()); // JCE doesn't have that specific implementation so that why we need any //other provider e.g. BouncyCastle, IAIK and etc.
        System.out.println("Start Certificate....................................");
        System.out.println(m_objX509.toString());
        System.out.println("End Certificate......................................");
        //Returns Self Signed Certificate.
        return m_objX509;
      //****************************************************************

  • How to remove Expired Certificate in Certification Authority

    So the base certificate at a client site running Server Standard 2012 R2 expired.
    I went in and did a renewal, which created a new certificate, but the old expired cert still shows in the list and is still being handed out by the CA.
    Certificates #1 & #2 are the renewed cert's, Cert #0 is expired, why did it not get replaced during the renewal process?
    How do I remove the expired Certificate?  The CA is still using it and handing out expired cert's, this is preventing people from connecting to the secure Corporate WiFi environment because the NAP server is now rejecting access due to an expired certificate.
    Before I renewed and changed the certificates in the NAP server to point to the new reviewed cert, I was getting this event log entry when a user tried to connect to the Secure Corporate WiFi:
    Event ID 6273, Reason Code 262, The supplied message is incomplete.  The signature was not verified.
    After I changed to the Certificates in the NAP server to point to the renewed cert's, I get this error, still not able to connect to WiFi:
    Event ID 6273, Reason Code 265, The certificate chain was issued by an authority that is not trusted.
    How do I go about cleaning out that Expired Certificate in the CA, I removed it from the computer cert list using the Certificates snap in and connecting to the local computer.  I then stopped and restarted both the CA and NAP services.  Still
    no change.  I need to get the CA cleaned up and trusted again.
    Any help would be greatly appreciated.
    Curt Winter
    Microsoft Certified Professional

    Ok the NAP server is now working properly, the Expired Certificates are clean up and we are back in working order.
    Here is a review of what I did to get the issue resolved:
    1) First thing was to remove the old SBS server entries that where causing the workstation to try and renew their certs with the old server.  To do this I ran ADSIEdit expanded the
    CN=Configuration | CN=Services | CN=Public Key Services.  I then went through every folder and every entry under Public Key Services looking for and removing or updating entries pointing to the old SBS. I then made sure authenticated
    users had read permissions on CN=Enrollment Services.
    2) Ensure the CA is an Enterprise CA, I ran certutil -cainfo
    to ensure it showed as Enterprise Root CA.
    3) I then went back into ADSIEdit expanded
    CN=Configuration | CN=Services | Public Key Services | CN=Enrollment Services. Right click the CA in the right pane and ensure
    flags is set to 10.
    4) Ensure the CA is trusted, launch PKIView, right click on
    Enterprise PKI and select Manage AD Containers click on the Enrollment Services Tab, the status should show as OK.
    5) I then copied that Certificate to a file and ran certutil -verify on the file to check for any additional errors.
    6) I then opened CertSrv.msc on the CA, right click on the name of the CA and select properties, click on the Security tab and ensure Authenticated Users have the
    Request Certificates permission.
    7) I then ran certutil -deleterow 3/11/2015 Cert to remove all the certs that had expired before 3/11/2015.
    At this point the workstations started to get new cert's all the cert renewal errors in the client event logs stopped
    8) I then went back into the NAP server and select the correct certificate fin the EAP Properties and Smart Card properties.
    9) I then updated the domain 802.11X policy ensuring all the EAP properties had the correct certificate listed.
    At this point computers where again connecting to the Secure WiFi through the NAP server.  I hope this may help someone in the future.
    Curt Winter
    Certified Microsoft Professional
    Curt Winter

  • How to edit a PDF created with Acrobat XI Pro after signatures have been applied (like I can in 7, 8.0

    I have a major issue that I need to resolve before we can purchase Acrobat XI Pro:
    Currently, with Acrobat 8.1 Pro, after all signatories sign a document, we add an Effective Date (we add it after they sign since we don't know when the last signature will be acquired and we can't have an Effective Date that is before the date of the last signatory, otherwise, it would be effective before they signed it, which is not possible). I'm also allowed the latitude (as stated in our Documentation Control procedure) to make spelling corrections, hyperlink updates and minor formatting changes (by using the typewriter tool and also by replacing a page that is NOT the signed page if the change repaginates the document or involves modifying a hyperlink that has changed).
    In all of the previous versions of Acrobat that we've used (7 Pro, 8 Pro and 8.1 Pro) , this has been easily possible and all changes would be listed under the Signatures tab, which is exactly what we want, which is traceability.
    I'm using the trial version of Acrobat XI Pro now but am getting the message "This document is signed and can not be edited." If I bring the same PDF that was created from Word 2003 & 2013 using Acrobat XI Pro into 8.1 Pro, though, I CAN add the date, use the typewriter tool and replace non-signed pages, save it and exit without clearing or losing any signatures.
    My question is this: How can I do this in Acrobat XI Pro, as XI Pro (in the Signature pane) also lists the changes made to the document when it was edited using 8.1 Pro? (It's OK that the changes made to the PDF then mark the signatures as "invalid", as the reason why they were invalidated is also listed in the Signature pane, e.g. "Form Field Added", which is usually the applied Effective Date.)
    Thanks for any help!

    Acrobat versions prior to 9 had a bug which allowed you to do what you did. In Acrobat 9 this bug was fixed. In order to do what you want you need to certify (apply special certification digital signature with your certificate -- it is "Certify (Visible/Invisible)" choice in the "Work with Certificates") your document first. In the process of certification you can specify which modification permissions you allow the users of your document to make after signing. Certification signature must be the first signature in the document.

  • Accounts being created with administrative group rights

    Hello,
    The server is a Windows 2003 R2 Enterprise fully patched used for Shared Hosting purposes.  It runs Hsphere control panel.  I am trying to identify how the following hack is happening. 
    1) There are users being created with Administrative group rights.   Below is the EventViewer log for the user creation:
    User Account Created:
         New Account Name:    username
         New Domain:    PCNAME
         New Account ID:    PCNAME\username
         Caller User Name:    PCNAME$
         Caller Domain:    DOMAINNAME
         Caller Logon ID:    (0x0,0x3E7)
         Privileges        -
     Attributes:
         Sam Account Name:    username
         Display Name:    <value not set>
         User Principal Name:    -
         Home Directory:    <value not set>
         Home Drive:    <value not set>
         Script Path:    <value not set>
         Profile Path:    <value not set>
         User Workstations:    <value not set>
         Password Last Set:    <never>
         Account Expires:    <never>
         Primary Group ID:    513
         AllowedToDelegateTo:    -
         Old UAC Value:    0x2DAB2B0
         New UAC Value:    0x2DAB2B0
         User Account Control:    -
         User Parameters:    <value not set>
         Sid History:    -
         Logon Hours:    <value changed, but not displayed>
    There exists entries as well where the primary group ID is changed to the Administrative group, but I am omitting such.
    2) I tried to identify what Caller Logon ID:    (0x0,0x3E7) means.  I found out from here:
     http://blog.joeware.net/2013/01/14/2667/ that I can use LogonSessions.exe to identify it.
    Output from LogonSessions.exe is pasted below (snippet):
    [0] Logon session 00000000:000003e7:
        User name:    DOMAINNAME\PCNAME$
        Auth package: NTLM
        Logon type:   (none)
        Session:      0
        Sid:          S-1-5-18
        Logon time:   9/11/2014 12:41:53 PM
        Logon server:
        DNS Domain:   
        UPN:          
            4: System
          316: smss.exe
          364: csrss.exe
          392: winlogon.exe
          440: services.exe
          452: lsass.exe
          628: svchost.exe
          756: LMAgent.exe
          840: svchost.exe
         1000: spoolsv.exe
         1252: avagent.exe
         1268: camWMIAgent.exe
         1324: cissesrv.exe
         1380: cpqrcmc.exe
         1404: vcagent.exe
         1440: svchost.exe
         1480: HsQuotas.exe
         1740: inetinfo.exe
         1780: EmailAgent.exe
         1856: snmp.exe
         1884: sysdown.exe
         1920: smhstart.exe
         2192: svchost.exe
         2388: cmd.exe
         2396: hpsmhd.exe
         2444: cqmgserv.exe
         2464: cqmgstor.exe
         2484: HSphere.exe
         2596: wmiprvse.exe
         2676: cmd.exe
         2684: rotatelogs.exe
         2692: cmd.exe
         2700: rotatelogs.exe
         2732: searchindexer.exe
         2812: hpsmhd.exe
         2824: cqmghost.exe
         2852: svchost.exe
         3044: cmd.exe
         3052: rotatelogs.exe
         3080: cmd.exe
         3088: rotatelogs.exe
         5452: svchost.exe
         5596: GravitixService.exe
         7392: csrss.exe
         7232: winlogon.exe
         6888: csrss.exe
         9832: winlogon.exe
        10388: wawrapper.exe
        10352: cpqnimgt.exe
         9496: msiexec.exe
         6068: w3wp.exe
         4748: webalizer.exe
    3) I also learned from http://support.microsoft.com/kb/243330/en-us that   Sid:          S-1-5-18 means:
    SID: S-1-5-18
    Name: Local System
    Description: A service account that is used by the operating system
    That is all great info, but I am not sure I can put together what I have learned to attempt and get closer towards identifying how in the world users are being created and then being assigned administrative group rights.
    I am a Linux person mostly, but I am comfortable following a properly explained thread regarding windows 2003 R2 Enterprise issues.
    The server is fully patched and it is running Lumension security product.  What's more, Norman Malware tracker, tdskiller.exe (Kaspersky) and McAfee rootkitremover.exe have been run without any apparent Malware/Virus infection
    Hope someone with advanced admin skills can advise.
    Thank you

    Hi,
    You mentioned that, “I am trying to identify how the following hack is happening”, would you please tell us that why did you think the event represent a hacking behavior?
    In a Shared Server Hosting environment, the underlying hosting control panel tool (Hsphere in this case) should be creating only virtual FTP users with a specific group.  So no users with Administrative group should be ever created.  If this happens,
    it constitutes a breach of server security=positive hacking attempt.
    >how in the world users are being created and then being assigned administrative group rights.
    In addition, would you please be more specific about this question? Did you find the event message on a domain joined machine?
    I want to be able to understand in full how/what process is allowing users to be created with Admin rights.  In other words, I want to know what IP was used to issue the command, if ASP.net was used (abused in this case), or anything else related to
    it so that we can patch this particular hole.
    Best Regards,
    Amy

  • Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)

    We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
    The application is running on a server within a wide area network which is separated from the internet.
    The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
    The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call  "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
    The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
    The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
    are no problems with certificate revocation checks.
    The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
    "Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
    Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
    it cannot fetch the certificate under https://my-site.de:80.
    The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
    - Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
      has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
    - Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
      While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
      our users.
    It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
    Many thanks!
    This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
    (sorry for this is in german... and also my english above)
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    security: OCSP Response: GOOD
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    security: UNAUTHORIZED
    security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
    network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
    cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
    cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
    network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
    network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
    CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
    network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
    security: Revocation Status Unknown
    com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
        at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
        at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
        at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
        Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
            at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
            ... 35 more
    Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        ... 36 more
    security: Ungültiges Zertifikat vom HTTPS-Server
    network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]

    Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.

Maybe you are looking for

  • Lockbox discount issue

    Hi Team, To handle the full payments received when the customer is within the grace days of the discount period, the following scenario needs to be handled. If payment amount = invoice amount - clear the invoice. Do not need to look for tolerance gro

  • Error while trying to import workbench in EBS

    Hi, We are trying to import workbench in our EBS R12.1.1 production instance and frequently we get error "Internal Server Error" .. More Information is available on Server log. When we checked in Application.log, we found below error, 10/06/16 07:43:

  • Stop Inbound IDOC's from being created

    I want to stop inbound IDOC's for a particular partner (type LS) from being created in our R/3 system. Is there a way to do this? I am aware these can be stopped in the middleware, but this is not possible in our case.  I am also aware that I can sto

  • Type Tool in Photoshop CS3 Extended

    Hi! I just recieved my copy of Design Premium CS3 package from Adobe. I noticed that when I activate the Type Tool, Photoshop crashes or uses a long time to activate the tool. I got this problem on the BETA version and thuoght it was a bug that would

  • Outlook 2013 continually prompting for credentials on new domain

    Greetings, I first posted this in the Office365 community forums and was directed here. We are experiencing an issue where Outlook 2013 (Office365 install) is prompting for user credentials every time it is opened, despite checking the option to reme