-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
8u5
-
x86
-
windows_7
FULL PRODUCT VERSION :
Java Plug-in 11.5.2.13
Using JRE version 1.8.0_05-b13 Java HotSpot(TM) Client VM
EXTRA RELEVANT SYSTEM CONFIGURATION :
Windows OS, SQUID proxy with username / password authenticaton. NTLM is supported.
A DESCRIPTION OF THE PROBLEM :
neither OCSP nor CRL based code signing certificate revocation check are not working behind authenticated proxy.
THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: Did not try
THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Did not try
REGRESSION. Last worked in version 8u5
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- ensure that either signer revocation check or full certificate revocation check is active in JCP advanced settings
- Applet is signed with a valid signer certificate (issued by Comodo)
-CA is trusted
- Workstation is protected by proxy which requires autentication
-Applet loads with security prompt: "unable to ensure the certificate used to identify this application has not been revoked"
EXPECTED VERSUS ACTUAL BEHAVIOR :
- proxy authentication window is presendet OR
- browser proxy authentication is used OR
- Java proxy autentication presets and saved data is used
ERROR MESSAGES/STACK TRACES THAT OCCUR :
network: Connecting http://ocsp.comodoca.com/ with proxy=HTTP @ foo.com/10.232.118.138:3128
security: Failing over to CRLs: java.io.IOException: Server returned HTTP response code: 407 for URL: http://ocsp.comodoca.com
network: Cache entry not found [url: http://crl.comodoca.com/COMODOCodeSigningCA2.crl, version: null]
network: Connecting http://crl.comodoca.com/COMODOCodeSigningCA2.crl with proxy=HTTP @ foo.com/10.232.118.138:3128
ui: missing resource: java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key Revocation Status Unknown
security: Revocation Status Unknown
com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.io.IOException: Server returned HTTP response code: 407 for URL: http://ocsp.comodoca.com
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Domain policy restrict users to override default java security settings. Applet is not usable despite buying a legitimate code signing certificate.
Java Plug-in 11.5.2.13
Using JRE version 1.8.0_05-b13 Java HotSpot(TM) Client VM
EXTRA RELEVANT SYSTEM CONFIGURATION :
Windows OS, SQUID proxy with username / password authenticaton. NTLM is supported.
A DESCRIPTION OF THE PROBLEM :
neither OCSP nor CRL based code signing certificate revocation check are not working behind authenticated proxy.
THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: Did not try
THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Did not try
REGRESSION. Last worked in version 8u5
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- ensure that either signer revocation check or full certificate revocation check is active in JCP advanced settings
- Applet is signed with a valid signer certificate (issued by Comodo)
-CA is trusted
- Workstation is protected by proxy which requires autentication
-Applet loads with security prompt: "unable to ensure the certificate used to identify this application has not been revoked"
EXPECTED VERSUS ACTUAL BEHAVIOR :
- proxy authentication window is presendet OR
- browser proxy authentication is used OR
- Java proxy autentication presets and saved data is used
ERROR MESSAGES/STACK TRACES THAT OCCUR :
network: Connecting http://ocsp.comodoca.com/ with proxy=HTTP @ foo.com/10.232.118.138:3128
security: Failing over to CRLs: java.io.IOException: Server returned HTTP response code: 407 for URL: http://ocsp.comodoca.com
network: Cache entry not found [url: http://crl.comodoca.com/COMODOCodeSigningCA2.crl, version: null]
network: Connecting http://crl.comodoca.com/COMODOCodeSigningCA2.crl with proxy=HTTP @ foo.com/10.232.118.138:3128
ui: missing resource: java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key Revocation Status Unknown
security: Revocation Status Unknown
com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.io.IOException: Server returned HTTP response code: 407 for URL: http://ocsp.comodoca.com
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Domain policy restrict users to override default java security settings. Applet is not usable despite buying a legitimate code signing certificate.
- duplicates
-
-
- Closed
-