FULL PRODUCT VERSION :
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
Java HotSpot(TM) Client VM (build 25.25-b02, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
JLNP is hosted by Windows Server 2008 R2

A DESCRIPTION OF THE PROBLEM :
Java 8u25 Web Start (ver: 11.25.2.18) is failing to download the JNLP file when it is hosted by IIS 7.5 on Windows Server 2008 R2 using SSL with client certificates set to ACCEPT or REQUIRE.

This causes the JWS application to not launch and error out. Disabling TLS 1.1 and 1.2 on the client from Java Control Panel will allow it to work as expected.

With TLS 1.1 or 1.2 enabled however it is causing an error in SChannel on the server:
== The following fatal alert was generated: 20. The internal error state is 960. ==

Note: The server in this case is not configured for TLS 1.1 or TLS 1.2.

Supported versions: SSLv2 SSLv3 TLSv1.0
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv2
     RC4_128_WITH_MD5
     DES_192_EDE3_CBC_WITH_MD5
  SSLv3
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
  TLSv1.0
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

REGRESSION. Last worked in version 7u67

ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_67"
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Java HotSpot(TM) Client VM (build 24.65-b04, mixed mode, sharing)
Java Web Start 10.67.2.01


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) With a JNLP hosted on IIS 7.5 Windows Server 2008 R2, configured to use SSL with client certificates set to ACCEPT or REQUIRE.
2) Execute: javaws -verbose https://<JNLP LOC>

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
JWS Application Launches
ACTUAL -
JWS Errors out.



ERROR MESSAGES/STACK TRACES THAT OCCUR :
I have seen this produce a few different exceptions in various cases.

======================= Common Exception ============================
Java Console:

Java Web Start 11.25.2.18
Using JRE version 1.8.0_25-b18 Java HotSpot(TM) Client VM
....
basic: Java part started
basic: jnlpx.jvm: C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaw.exe
basic: jnlpx.splashport: 49998
basic: jnlpx.remove: false
basic: jnlpx.heapsize: null
network: Loading user-defined proxy configuration ...
network: Done.
network: Browser is IE.HTTP
network: Browser is IE
network: Loading proxy configuration from Internet Explorer ...
network: Done.
network: Loading direct proxy configuration ...
network: Done.
network: Proxy Configuration: No proxy
basic: Using Cp1252 to encode arguments.
basic: Running JVMParams: [JVMParameters: isSecure: true, args: "-Xmx64m"]
-> [JVMParameters: isSecure: true, args:]
network: Created version ID: 1.5.0.22
network: Created version ID: 1.5
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
network: Created version ID: 1.6.0.30
network: Created version ID: 1.6
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
network: Created version ID: 1.7.0.17
network: Created version ID: 1.7
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre7.0.17]
network: Created version ID: 2.2.7
network: Created version ID: 1.7.0.67
network: Created version ID: 1.7
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre7]
network: Created version ID: 2.2.67
network: Created version ID: 1.8.0.25
network: Created version ID: 1.8
network: Created version ID: 8.0.25
network: Created version ID: 1.8.0.25
network: Created version ID: 1.8
network: Created version ID: 8.0.25
network: Created version ID: 1.8.0.25
network: Created version ID: 1.8
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaw.exe]
basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaw.exe]
network: Created version ID: 8.0.25
network: Created version ID: 1.8.0.25
network: Created version ID: 1.8
network: Created version ID: 8.0.25
network: Cache entry found [url: https://<JNLP LOC>, version: null] prevalidated=false/0
cache: Adding MemoryCache entry: https://<JNLP LOC>
cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@f832bb3: 1
temp: new XMLParser with source:
temp:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.5+" codebase="https://&lt;JNLP BASE DIR>" href="<JNLP>">
  <information>
    <title>XXXX</title>
    <vendor>XXXX</vendor>
    <homepage href="http://www.XXXX.com"/>
    <icon href="Splash.jpg" kind="splash"/>
    <description/>
  </information>
  <resources>
    <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se" / max-heap-size="256m"/>
    <jar href="<JAR>.jar"/>
  </resources>
  <application-desc main-class="XXXX">
    <argument>XXXX</argument>
    <argument>13999</argument>
    <argument>1234</argument>
    <argument>0</argument>
  </application-desc>
  <security>
    <all-permissions/>
  </security>
</jnlp>

temp:

returning ROOT as follows:
<jnlp spec="1.5+" codebase="https://&lt;JNLP BASE DIR>" href="<JNLP>">
  <information>
    <title>XXXX</title>
    <vendor>XXXX</vendor>
    <homepage href="http://www.XXXX.com"/>
    <icon href="Splash.jpg" kind="splash"/>
    <description/>
  </information>
  <resources>
    <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se" / max-heap-size="256m"/>
    <jar href="<JAR>.jar"/>
  </resources>
  <application-desc main-class="XXXX">
    <argument>XXXX</argument>
    <argument>13999</argument>
    <argument>1234</argument>
    <argument>0</argument>
  </application-desc>
  <security>
    <all-permissions/>
  </security>
</jnlp>
network: Created version ID: 1.8.0.25
network: Created version ID: 1.5+
temp: returning LaunchDesc from XMLFormat.parse():

<jnlp spec="1.5+" codebase="https://&lt;JNLP BASE DIR>" href="https://&lt;JNLP LOC>">
  <information>
    <title>XXXX</title>
    <vendor>XXXX</vendor>
    <homepage href="http://XXXX"/>
    <icon href="https://&lt;SERVER&gt;/Splash.jpg" kind="splash"/>
  </information>
  <security>
    <all-permissions/>
  </security>
  <update check="timeout" policy="always"/>
  <resources>
    <java href="http://java.sun.com/products/autodl/j2se" version="1.5+"/>
    <jar href="https://&lt;JAR&gt;.jar" download="eager" main="false"/>
  </resources>
  <application-desc main-class="xxxx">
    <argument>xxxx</argument>
    <argument>13999</argument>
    <argument>1234</argument>
    <argument>0</argument>
  </application-desc>
</jnlp>
network: prepareToLaunch: offlineOnly=false
network: Cache entry found [url: https://&lt;JNLP LOC>, version: null] prevalidated=false/0
cache: Adding MemoryCache entry: https://&lt;JNLP LOC>
cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@8848afda: 1
cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@8848afda: 2
cache: Resource https://&lt;JNLP LOC> has expired.
network: Connecting https://&lt;JNLP LOC> with proxy=DIRECT
network: Connecting socket://&lt;server&gt;:443 with proxy=DIRECT
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_25\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_25\lib\security\cacerts
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Loading certificates from Internet Explorer DISALLOWED certificate store
security: Loaded certificates from Internet Explorer DISALLOWED certificate store
security: Loaded blacklisted.certs file: C:\Users\xxxx\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Saving certificates in Deployment session certificate store
security: Saved certificates in Deployment session certificate store
network: Connecting https://&lt;JNLP LOC> with cookie "__utma=267056913.859301560.1365445621.1408740486.1409251518.7; __utmz=267056913.1390590352.2.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=3e25f76-147c5868802-41e8b235-16; "
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
network: Connecting socket://127.0.0.1:49998 with proxy=DIRECT
network: Connecting socket://qalab-iis7.noblesys.com:443 with proxy=DIRECT
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Obtain certificate collection in SSL Root CA certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
#### Java Web Start Error:
#### Connection reset


java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read1(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivileged(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

======================= Variant Exception ==================================
com.sun.deploy.net.FailedDownloadException: Unable to load resource: https://&lt;JNLP LOCATION> [^]
                at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
                at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
                at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
                at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                at com.sun.javaws.Launcher.launch(Unknown Source)
                at com.sun.javaws.Main.launchApp(Unknown Source)
                at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
                at com.sun.javaws.Main.access$000(Unknown Source)
                at com.sun.javaws.Main$1.run(Unknown Source)
                at java.lang.Thread.run(Unknown Source)
java.net.SocketException: Connection reset
                at java.net.SocketInputStream.read(Unknown Source)
                at java.net.SocketInputStream.read(Unknown Source)
                at sun.security.ssl.InputRecord.readFully(Unknown Source)
                at sun.security.ssl.InputRecord.read(Unknown Source)
                at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
                at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
                at sun.security.ssl.AppInputStream.read(Unknown Source)
                at java.io.BufferedInputStream.fill(Unknown Source)
                at java.io.BufferedInputStream.read1(Unknown Source)
                at java.io.BufferedInputStream.read(Unknown Source)
                at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
                at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
                at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
                at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
                at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
                at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
                at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at java.security.AccessController.doPrivileged(Unknown Source)
                at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
                at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
                at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
                at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
                at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
                at com.sun.deploy.net.BasicHttpRequest.doGetRequest(Unknown Source)
                at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
                at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
                at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
                at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                at com.sun.javaws.Launcher.launch(Unknown Source)
                at com.sun.javaws.Main.launchApp(Unknown Source)
                at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
                at com.sun.javaws.Main.access$000(Unknown Source)
                at com.sun.javaws.Main$1.run(Unknown Source)
                at java.lang.Thread.run(Unknown Source)

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
1) Disable use of client certificates in IIS (set to IGNORE).

OR

2) Disable TLS 1.1 and 1.2 from the Java Control Panel on the Client.