1

I'm trying to run a java JNLP-based application. It works fine from home : javac+javaws are the same v.1.8.?

Now I'm trying to run my application at work. I'm working behind a proxy and I used the Controlpanel to tell java to bypass the proxy for our local server hosting the JNLP. On the server side, the aplication is compiled with 

javac 1.7.0_60

On the client side, I'm trying to run it with:

$ javaws -version
Java(TM) Web Start 11.40.2.26-fcs 

$ java -version
java version "1.8.0_40"

Nevertheless, I get the following exception in javaws

javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
    at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1432)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1430)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.AccessController.doPrivileged(AccessController.java:713)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1429)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
    at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
    at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
    at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
    at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
    at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
    at com.sun.javaws.Launcher.launch(Unknown Source)
    at com.sun.javaws.Main.launchApp(Unknown Source)
    at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
    at com.sun.javaws.Main.access$000(Unknown Source)
    at com.sun.javaws.Main$1.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:745)
Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException
    at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
    at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
    at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
    at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
    at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
    at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
    ... 33 more

I read https://community.oracle.com/thread/3651870?start=15&tstart=0 But I don't really understand what I should do.

For example, I've commented out <>/lib/security/java.security

#jdk.tls.disabledAlgorithms=SSLv3

but that still doesn't work. As I see a 'getInputStream' in the stacktrace, I wonder if javaws tries to download something outside the proxy ?

Any idea ?

EDIT: the JNLP works if,in the controlPanel, I check

  • Perform signed code: do not check (not recommended)
  • Perform TLS certificatie revocation: do not check (not recommended)

is this problem linked to my proxy server ?

Improve this question

1 Answer 1

Reset to default
1

Java certificate revocation checking uses one or both of these methods:

Certificate Revocations Lists (CRLs)

This method needs lists to be generated and published periodically by Certificate Authority (CA) to keep the it current.

Online Certificate Status Protocol (OCSP)

This method performs a real time certificate status check with CA making it more reliable and faster.

If your server certificate is self-signed, or your company has an internal CA, your JRE may not be able to complete the revocation check properly -- hence the "Unknown" status. If you want to run with revocation checking on (and usually you do), you will need certs signed by a CA that supports one or both of these methods.

It is also important to remember that there are potentially two certificates in play here:

  • The cert used to sign the JARs; and
  • The cert used to connect to the server

Both certs must be signed and valid (that is, not revoked) in order for the handshake to succeed.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.