Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8029588

Certificate validation error due to ocsp/crl check enable

XMLWordPrintable

       


      INDICATORS:

      We use the bought certificate in our product , and want to upgrade jre from
      1.6.0_20 to 1.7.0_25. now have issue found when try to launch our applet
      from web page. please rfer to error message below:
      when select "All certificates in the chain of trust " in "Perform certificate
      revocation checks on " of java control panel . the certificate is bought in
      the past, it not include OCSP responder , and some customer site have no web
      access. so even have this responder specified , we did not want to check this

      security: Obtain certificate collection in Root CA certificate store
      security: The certificate has expired, need to check timestamping info
      security: No timestamping info available
      security: The OCSP support is enabled
      security: The CRL support is enabled
      security: Failing over to CRLs: Certificate does not specify OCSP responder

      when select "Publish's certificate only " in "Perform certificate revocation
      checks on " of java control panel , the error message as follows . for us,
      customer site can not access internet in some situation , so access to web
      for revocation check is not acceptable.

      security: The OCSP support is enabled
      security: The CRL support is enabled
      security: Skipping revocation check, not publisher cert
      security: Skipping revocation check, not publisher cert
      network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
      network: Connecting socket://ocsp.thawte.com:80 with proxy=DIRECT
      security: Failing over to CRLs: java.net.SocketTimeoutException: connect
      timed out

      only when select " Do not check ( not recommend ) " , certificate revocation
      check pass and product function can work well.

      security: The OCSP support is disabled
      security: The CRL support is disabled
      security: Revocation check disabled


      The customer security settings in Java Control Panel is Medium.

      To reproduce this, we need:

      - one CA certifiate without OCSP responder specified
      - no network access available

      and then call some sample program to reproduce

      security: The OCSP support is enabled
      security: The CRL support is enabled
      security: Failing over to CRLs: Certificate does not specify OCSP responder
      network: Cache entry not found [url:
      http://crl.thawte.com/ThawtePremiumServerCA.crl, version: null]
      network: Connecting http://crl.thawte.com/ThawtePremiumServerCA.crl with
      proxy=DIRECT
      network: Connecting socket://crl.thawte.com:80 with proxy=DIRECT


      COUNTER INDICATORS:
      TRIGGERS:
      KNOWN WORKAROUND:
      PRESENT SINCE: issue to be seen on upgrade from 1.6.0_20 to 1.7.0_25
      HOW TO VERIFY:
      NOTES FOR SE:
      REGRESSION:
       

            mcherkas Mikhail Cherkasov (Inactive)
            asaha Abhijit Saha
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: