Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8013237

Option "Do not check certification revocation" in JCP is not honored.




      Steps to reproduce:
      1. Install the latest 7u25 nightly bundle on Windows 7-x86(Though I think this issue exists on all configs)
      2. Go to JCP->Advanced->Perform certification revocation checks on, choose "Do not check (not recommended)". Also swtich java console on.
      3. Open browser, choose do not use any proxy at all, so that we won't be able to connect to OCSP/CRL servers sitting on public internet
      4. Access page http://java.com/zh_CN/download/installed.jsp
      5. If the applet fails to launch, complaining failed to validate certificates, then the issue is reproduced.

      The applet should be running fine since OCSP/CRL check is off.

      correctly config proxy so that the connection to OCSP/CRL servers could go through (but only if the OCSP/CRL servers is up and running fine)

      Screenshot is attached. So is trace.

      Another issue we could see from trace is (Update: to me, this should be a different issue, filed bug https://jbs.oracle.com/bugs/browse/JDK-8013240 to track):
      security: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.net.SocketTimeoutException: connect timed out
      java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key OK
      at java.util.ResourceBundle.getObject(Unknown Source)
      at java.util.ResourceBundle.getString(Unknown Source)
      at com.sun.deploy.resources.ResourceManager.getMnemonic(Unknown Source)
      at com.sun.deploy.ui.DialogTemplate.createButtonsPanel(Unknown Source)
      at com.sun.deploy.ui.DialogTemplate.createCenterPanel(Unknown Source)
      at com.sun.deploy.ui.DialogTemplate.setErrorContent(Unknown Source)
      at com.sun.deploy.ui.UIFactory$3.execute(Unknown Source)
      at sun.plugin.util.PluginSysUtil$SysExecutionThread.run(Unknown Source)
      basic: Dialog type is not candidate for embedding

      Looks like we missing defining some key.

      Root cause analysis:
      I think this is because
      - we have the JCP OCSP/CRL options fix in, and we do write these options into deployment.properties file. But the internal logic to honor them is not ready yet.
      - on the other hand, we make the OCSP/CRL check as default internally

      Although there's a workaround, the workaround is not good for sqe testing. Since we do not use proxy in our automation run because the proxy is not stable and will affect our test results. So make it p2.




            herrick Andy Herrick
            stephenh Stephen Hu (Inactive)
            0 Vote for this issue
            2 Start watching this issue