We have recently needed to change our SSL certificate on our server. Our consuming application has suddenly stopped working. I had presumed this was to do with Java's cacerts, and modified the program to import the new certificate to each client, the problem was not resolved.
When the application attempts to load the remote view (shown below) on the server, it simply loads a white page. I have tried loading the page through http:// and it seems to function, however the rest of the application (including the API) requires https, and subsequent calls to the API fail (images loaded through https are showing as broken within the app).
The website is functional, and when I access URL's being provided to the app, through my desktop browser they load without issue. The app is also functional when I run it in Debug mode, these issues only occur when I use the "Run" build mode.
I have tried creating a blank MAF application, hoping it was some caching issue, however this new app also cannot load the remote URI. I have done a clean build and have tested other remote URI's (they work). I feel as if there is an issue with Java somehow not accepting the new certificate. The first time I tried to load the website within Eclipse's browser, an error displayed along the lines of "certificate revocation information". I didn't pay much attention to this error and it provided the option to install the new certificate, after which the page loaded within eclipse's browser.
In Jdeveloper there is an option of Disabling the Application Transport Security as shown in the image.
Could you try disabling in your eclipse too, Kindly refer this doc https://wiki.eclipse.org/Jetty/Howto/Configure_SSL, this might do a little help :)
The issue seems to be due to the changed SSL certificate on your server.
Short answer:
There was no chain installed, I installed the provided ca-bundle file and updated the httpd.conf file to reflect the chain location and the app now works.
Long answer:
When our server dev installed the new certificate, he neglected to install the ca-bundle (certificate chain) provided by the CA. The site was working in a browser, I can only assume, because it has a more complete list of trusted CA's built in. My best guess is that MAF requires the chain to be installed and was failing some security test, or the chrome webview it uses did not have this CA on the trusted list.
Related
I'm working with a liferay application that is hosted on a machine at 192.168.1.50:8443 with a self signed certificate (keystore was added to tomcat).
I now want to connect the API to an android app. This connection works in production, but I can't make it work in my local environment, even after accepting the certificate in chrome, and installing it to the android device, it is detected but gives me this error:
SSLPeerUnverifiedException: Hostname 192.168.1.50 not verified
But then it prints out the certificate being used and shows CN:192.168.1.50 and every parameter exactly as I set it. Can anyone give me some pointers of where to go from here? I have already tried everything I can find including injecting customized socket factories, hostname verifiers and SSL contexts.
Any help is appreciated, even if it is a way to trust all certificates I'll take it, I don't care about security, I just need this for development.
I'm using JavaFX WebView to load a website. This website is using iframes.
It's working fine on a classical browser, but when I'm displaying the pages using JavaFX WebView, the frames are empty.
I tried to display the content of the iframe programmatically from the Java code (according to this: How to get by javafx webview content iframe loaded page?). It is empty.
I also tried to allow everything with Content Security Policy, X-Frame-Options, etc. on the client side (by overriding the HTTP headers), following JavaFX WebView disable Same origin policy (allow cross domain requests). It did not change anything.
I hava added a WebConsoleListener to see some logs. I have no errors.
What is the issue? Is there a way to get more logs?
It turns out that the issue was the following: the website in the iframe had an issue with the certificate chain (the whole certificate chain was not transmitted by the website in the iframe). The issue was identified using SSLLabs.
It's not a problem when accessing the page using a browser because browsers are able to manage the situation, but the sun JVM is not able to do so.
A SSL handshake exception was risen somewhere, but it was hidden by the JavaFX WebView (somewhere it was caught and not displayed clearly thereafter).
So once the issue is identified, to fix it we fall back to the traditional solutions:
If possible, fix the website with the incomplete certificate chain (recommended)
If not, either explicitly trust the certificate provided by the site by adding it to the cacerts file, or disable the SSL security (not recommended)
Recently we started to upgrade our clients from Java 6u31 to 8u121.
Here we see an impact on our internal web application written in Java.
Client(s) connects to a web-server which has the JNLP and JARs locally.
However now with the new Java 8u121 we get a pop-up from java : Authentication required.
We can click on cancel and the Java app will load but this is not acceptable for our users.
Is this a Java problem or a Proxy problem?
We started to do a trace with wire-shark to see what happens when the Java pop-up "authentication required" occurs. Here we could see that our proxy server blocks a global-sign site to validate a certificate. Here we made an exception for that site. Now we have no issue anymore and the pop-up is not occurring anymore.
You can prevent that authentication window by setting the property deployment.security.authenticator value to false in the deployment.properties
Normally Plug-in and Web Start install an Authenticator to handle
communication with Authenticating web pages or Authenticating proxies.
This is the default behavior (true). This option can be used to turn
the normal behavior off if, for example, an application communicates
directly with an authenticating web page and needs to install its own
Authenticator.
Location of the deployment.properties
in Windows - \LocalLow\Sun\Java\Deployment\deployment.properties
in Linux - ${user.home}/.java/deployment/deployment.properties
in OS X - ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties
i wrote a web application which is used in our intranet. I alswo wrote a small Java Applet to integrate with our windows desktops (opening applications and files). Of course i get a security warning everytime i access my web application.
I've read on stackoverflow that it should be possible, to sign my applet and roll out the certificate to all my clients (Windows XP and Windows 7) to get rid of the securitywarning.
Is there a tutorial how to do that? Can i do that without purchasing a expensive certificate because i'm only using this application in my intranet?
Thx for any information and best regards!
I found the solution here: http://wikigu.blogspot.co.at/2011/06/signing-java-applet-with-your-own-ca.html
The last step is to install the generated crt (in the example it's the "server.crt") file into the Trusted Publishers certificate store.
Edit: i just realized that it is just working in Internet Explorer (applet is executed without any warning or dialogue) but not in Firefox. Firefox still shows a security warning. Does anybody know how to get rid of the warning in Firefox?
I am using the SWT Browser Widget to load the image of a webcam-server via HTTPS. Sadly the webcam-server certificate is untrusted. I tried to 2 variants to load the image:
Browser.setHTML(String)
Load the image using HTML+JavaScript every second. This is the prefered way to avoid flickering. This works very fine for HTTP, if i have a HTTPS connection i will see noting at all except my alternative text.
Browser.setUrl(String)
Load the image by setting the URL every second. This causes massiv flickering because of the reload, wich is unacceptable. I tried this variant with all available SWT-Browsers. If i use SWT.WEBKIT or SWT.MOZILLA (XulRunner) i have no chance at all to get the image. An dialog pop up and tell me the certificate is untrusted with no option to accept it. If i use SWT.NONE the IE is used (i am on WinXP) and the pop-up dialog ask if i want to trust the cert, after pressing OK i can see the image.
Here at Stackoverflow i found: how-to-import-a-ssl-certificate-file-with-swt-browser.
But i unable to find the cert_override.txt in my XULRunner, and i am unable to find a download link for the Personal Security Manager (like many others) !
How can i allow the untrusted certificate, use variant 1 and XULRunner aka MOZILLA ? Is it possible to do it programmatically ?
cert_override.txt is located in the user's profile. On Windows the directory for XULRunner's user profiles is %APPDATA%\<vendor>\<product>\Profiles\<something>.default, on OS X /Library/Application Support/<product>/Profiles/<something>.default, on Linux ~/.<vendor>/<product>/Profiles/<something>.default. At runtime you can use nsIDirectoryService to locate the directory (ProfD is the key for this directory).
You can either write to the user's profile directly from your application or add a copy of cert_override.txt to your XULRunner application to be copied into all user profiles created (it would have to be put under defaults/profile/cert_override.txt in the XULRunner application directory). Note that the latter will only have an effect on new profiles being created, not on profiles that already exist.
Btw, the simplest way to create a cert_override.txt file would be accepting an untrusted certificate in Firefox and then copying the entry from the Firefox profile to the XULRunner profile.