-
Bug
-
Resolution: Cannot Reproduce
-
P3
-
None
-
7u51
-
x86
-
windows_7
FULL PRODUCT VERSION :
A DESCRIPTION OF THE PROBLEM :
In JRE 6u45, whenever the PKI certificate does not provide Full URL path for CRL Distribution Point(CDP), the JRE will use the value of property key "deployment.security.validation.crl.url" provided inside the deployment.properties to perform the CRL checking for signed applet.
However, the behavior of CRL checking is revamped in 7u45,7u50. This property key is ignored and certificate must contain Full URL path to the CRL in CDP. It has severe impact on our business operation. The default security setting has to been reduced to allow business as usual. My suggestion is to keep the property key as a fallback option in case of the certificate do not contain URL in CDP.
If you refer the RFC 5280, the CDP can contain Full URL or Directory Address. In the case of using directory address, the application which uses this certificate must know how to get the CRL. In this case, JRE must keep the property key that allow us to specify where to get the CRL.
For your info, this property key is still documented under here:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html
REGRESSION. Last worked in version 6u45
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
-- currently, the only option is to disable the CRL checking. However, this not the best solution.
A DESCRIPTION OF THE PROBLEM :
In JRE 6u45, whenever the PKI certificate does not provide Full URL path for CRL Distribution Point(CDP), the JRE will use the value of property key "deployment.security.validation.crl.url" provided inside the deployment.properties to perform the CRL checking for signed applet.
However, the behavior of CRL checking is revamped in 7u45,7u50. This property key is ignored and certificate must contain Full URL path to the CRL in CDP. It has severe impact on our business operation. The default security setting has to been reduced to allow business as usual. My suggestion is to keep the property key as a fallback option in case of the certificate do not contain URL in CDP.
If you refer the RFC 5280, the CDP can contain Full URL or Directory Address. In the case of using directory address, the application which uses this certificate must know how to get the CRL. In this case, JRE must keep the property key that allow us to specify where to get the CRL.
For your info, this property key is still documented under here:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html
REGRESSION. Last worked in version 6u45
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
-- currently, the only option is to disable the CRL checking. However, this not the best solution.