Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8068812

JWS Fails JNLP Download When Hosted Using SSL w/ Client Certificates Enabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: P3
    • Resolution: Unresolved
    • Affects Version/s: 8u25
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_25"
      Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
      Java HotSpot(TM) Client VM (build 25.25-b02, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Version 6.1.7601]

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      JLNP is hosted by Windows Server 2008 R2

      A DESCRIPTION OF THE PROBLEM :
      Java 8u25 Web Start (ver: 11.25.2.18) is failing to download the JNLP file when it is hosted by IIS 7.5 on Windows Server 2008 R2 using SSL with client certificates set to ACCEPT or REQUIRE.

      This causes the JWS application to not launch and error out. Disabling TLS 1.1 and 1.2 on the client from Java Control Panel will allow it to work as expected.

      With TLS 1.1 or 1.2 enabled however it is causing an error in SChannel on the server:
      == The following fatal alert was generated: 20. The internal error state is 960. ==

      Note: The server in this case is not configured for TLS 1.1 or TLS 1.2.

      Supported versions: SSLv2 SSLv3 TLSv1.0
      Deflate compression: no
      Supported cipher suites (ORDER IS NOT SIGNIFICANT):
        SSLv2
           RC4_128_WITH_MD5
           DES_192_EDE3_CBC_WITH_MD5
        SSLv3
           RSA_WITH_RC4_128_MD5
           RSA_WITH_RC4_128_SHA
           RSA_WITH_3DES_EDE_CBC_SHA
        TLSv1.0
           RSA_WITH_RC4_128_MD5
           RSA_WITH_RC4_128_SHA
           RSA_WITH_3DES_EDE_CBC_SHA
           RSA_WITH_AES_128_CBC_SHA
           RSA_WITH_AES_256_CBC_SHA
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

      REGRESSION. Last worked in version 7u67

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.7.0_67"
      Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
      Java HotSpot(TM) Client VM (build 24.65-b04, mixed mode, sharing)
      Java Web Start 10.67.2.01


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1) With a JNLP hosted on IIS 7.5 Windows Server 2008 R2, configured to use SSL with client certificates set to ACCEPT or REQUIRE.
      2) Execute: javaws -verbose https://<JNLP LOC>

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      JWS Application Launches
      ACTUAL -
      JWS Errors out.



      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      I have seen this produce a few different exceptions in various cases.

      ======================= Common Exception ============================
      Java Console:

      Java Web Start 11.25.2.18
      Using JRE version 1.8.0_25-b18 Java HotSpot(TM) Client VM
      ....
      basic: Java part started
      basic: jnlpx.jvm: C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaw.exe
      basic: jnlpx.splashport: 49998
      basic: jnlpx.remove: false
      basic: jnlpx.heapsize: null
      network: Loading user-defined proxy configuration ...
      network: Done.
      network: Browser is IE.HTTP
      network: Browser is IE
      network: Loading proxy configuration from Internet Explorer ...
      network: Done.
      network: Loading direct proxy configuration ...
      network: Done.
      network: Proxy Configuration: No proxy
      basic: Using Cp1252 to encode arguments.
      basic: Running JVMParams: [JVMParameters: isSecure: true, args: "-Xmx64m"]
      -> [JVMParameters: isSecure: true, args:]
      network: Created version ID: 1.5.0.22
      network: Created version ID: 1.5
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.5.0_22]
      network: Created version ID: 1.6.0.30
      network: Created version ID: 1.6
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre6]
      network: Created version ID: 1.7.0.17
      network: Created version ID: 1.7
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre7.0.17]
      network: Created version ID: 2.2.7
      network: Created version ID: 1.7.0.67
      network: Created version ID: 1.7
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre7]
      network: Created version ID: 2.2.67
      network: Created version ID: 1.8.0.25
      network: Created version ID: 1.8
      network: Created version ID: 8.0.25
      network: Created version ID: 1.8.0.25
      network: Created version ID: 1.8
      network: Created version ID: 8.0.25
      network: Created version ID: 1.8.0.25
      network: Created version ID: 1.8
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaw.exe]
      basic: No valid JFX runtime at [C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaw.exe]
      network: Created version ID: 8.0.25
      network: Created version ID: 1.8.0.25
      network: Created version ID: 1.8
      network: Created version ID: 8.0.25
      network: Cache entry found [url: https://<JNLP LOC>, version: null] prevalidated=false/0
      cache: Adding MemoryCache entry: https://<JNLP LOC>
      cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@f832bb3: 1
      temp: new XMLParser with source:
      temp:
      <?xml version="1.0" encoding="UTF-8"?>
      <jnlp spec="1.5+" codebase="https://&lt;JNLP BASE DIR>" href="<JNLP>">
        <information>
          <title>XXXX</title>
          <vendor>XXXX</vendor>
          <homepage href="http://www.XXXX.com"/>
          <icon href="Splash.jpg" kind="splash"/>
          <description/>
        </information>
        <resources>
          <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se" / max-heap-size="256m"/>
          <jar href="<JAR>.jar"/>
        </resources>
        <application-desc main-class="XXXX">
          <argument>XXXX</argument>
          <argument>13999</argument>
          <argument>1234</argument>
          <argument>0</argument>
        </application-desc>
        <security>
          <all-permissions/>
        </security>
      </jnlp>

      temp:

      returning ROOT as follows:
      <jnlp spec="1.5+" codebase="https://&lt;JNLP BASE DIR>" href="<JNLP>">
        <information>
          <title>XXXX</title>
          <vendor>XXXX</vendor>
          <homepage href="http://www.XXXX.com"/>
          <icon href="Splash.jpg" kind="splash"/>
          <description/>
        </information>
        <resources>
          <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se" / max-heap-size="256m"/>
          <jar href="<JAR>.jar"/>
        </resources>
        <application-desc main-class="XXXX">
          <argument>XXXX</argument>
          <argument>13999</argument>
          <argument>1234</argument>
          <argument>0</argument>
        </application-desc>
        <security>
          <all-permissions/>
        </security>
      </jnlp>
      network: Created version ID: 1.8.0.25
      network: Created version ID: 1.5+
      temp: returning LaunchDesc from XMLFormat.parse():

      <jnlp spec="1.5+" codebase="https://&lt;JNLP BASE DIR>" href="https://&lt;JNLP LOC>">
        <information>
          <title>XXXX</title>
          <vendor>XXXX</vendor>
          <homepage href="http://XXXX"/>
          <icon href="https://&lt;SERVER&gt;/Splash.jpg" kind="splash"/>
        </information>
        <security>
          <all-permissions/>
        </security>
        <update check="timeout" policy="always"/>
        <resources>
          <java href="http://java.sun.com/products/autodl/j2se" version="1.5+"/>
          <jar href="https://&lt;JAR&gt;.jar" download="eager" main="false"/>
        </resources>
        <application-desc main-class="xxxx">
          <argument>xxxx</argument>
          <argument>13999</argument>
          <argument>1234</argument>
          <argument>0</argument>
        </application-desc>
      </jnlp>
      network: prepareToLaunch: offlineOnly=false
      network: Cache entry found [url: https://&lt;JNLP LOC>, version: null] prevalidated=false/0
      cache: Adding MemoryCache entry: https://&lt;JNLP LOC>
      cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@8848afda: 1
      cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@8848afda: 2
      cache: Resource https://&lt;JNLP LOC> has expired.
      network: Connecting https://&lt;JNLP LOC> with proxy=DIRECT
      network: Connecting socket://&lt;server&gt;:443 with proxy=DIRECT
      security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_25\lib\security\cacerts
      security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre1.8.0_25\lib\security\cacerts
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: Loading certificates from Internet Explorer ROOT certificate store
      security: Loaded certificates from Internet Explorer ROOT certificate store
      security: Loading certificates from Internet Explorer DISALLOWED certificate store
      security: Loaded certificates from Internet Explorer DISALLOWED certificate store
      security: Loaded blacklisted.certs file: C:\Users\xxxx\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
      security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      security: Checking if SSL certificate is in Deployment permanent certificate store
      security: Loading certificates from Internet Explorer ROOT certificate store
      security: Loaded certificates from Internet Explorer ROOT certificate store
      security: Saving certificates in Deployment session certificate store
      security: Saved certificates in Deployment session certificate store
      network: Connecting https://&lt;JNLP LOC> with cookie "__utma=267056913.859301560.1365445621.1408740486.1409251518.7; __utmz=267056913.1390590352.2.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=3e25f76-147c5868802-41e8b235-16; "
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      network: Connecting socket://127.0.0.1:49998 with proxy=DIRECT
      network: Connecting socket://qalab-iis7.noblesys.com:443 with proxy=DIRECT
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Obtain certificate collection in SSL Root CA certificate store
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: SHA-256Certificate finger print: ED2AD4BC25ACC565E6EA0D76A3EB2426E005D6A1A694430E8AA8CA3644C730CD
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      security: SHA-256Certificate finger print: 21EB37AB4CF6EF8965EC1766409CA76B8B2E03F2D1A388DF734208E86DEEE679
      security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
      #### Java Web Start Error:
      #### Connection reset


      java.net.SocketException: Connection reset
      at java.net.SocketInputStream.read(Unknown Source)
      at java.net.SocketInputStream.read(Unknown Source)
      at sun.security.ssl.InputRecord.readFully(Unknown Source)
      at sun.security.ssl.InputRecord.read(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
      at sun.security.ssl.AppInputStream.read(Unknown Source)
      at java.io.BufferedInputStream.fill(Unknown Source)
      at java.io.BufferedInputStream.read1(Unknown Source)
      at java.io.BufferedInputStream.read(Unknown Source)
      at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
      at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
      at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessController.doPrivileged(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
      at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.launch(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)

      ======================= Variant Exception ==================================
      com.sun.deploy.net.FailedDownloadException: Unable to load resource: https://&lt;JNLP LOCATION> [^]
                      at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
                      at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
                      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                      at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
                      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                      at com.sun.javaws.Launcher.launch(Unknown Source)
                      at com.sun.javaws.Main.launchApp(Unknown Source)
                      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
                      at com.sun.javaws.Main.access$000(Unknown Source)
                      at com.sun.javaws.Main$1.run(Unknown Source)
                      at java.lang.Thread.run(Unknown Source)
      java.net.SocketException: Connection reset
                      at java.net.SocketInputStream.read(Unknown Source)
                      at java.net.SocketInputStream.read(Unknown Source)
                      at sun.security.ssl.InputRecord.readFully(Unknown Source)
                      at sun.security.ssl.InputRecord.read(Unknown Source)
                      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
                      at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
                      at sun.security.ssl.AppInputStream.read(Unknown Source)
                      at java.io.BufferedInputStream.fill(Unknown Source)
                      at java.io.BufferedInputStream.read1(Unknown Source)
                      at java.io.BufferedInputStream.read(Unknown Source)
                      at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
                      at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
                      at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
                      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
                      at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
                      at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
                      at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
                      at java.security.AccessController.doPrivileged(Native Method)
                      at java.security.AccessController.doPrivileged(Unknown Source)
                      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
                      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
                      at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
                      at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
                      at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
                      at com.sun.deploy.net.BasicHttpRequest.doGetRequest(Unknown Source)
                      at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
                      at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
                      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
                      at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
                      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
                      at com.sun.javaws.Launcher.launch(Unknown Source)
                      at com.sun.javaws.Main.launchApp(Unknown Source)
                      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
                      at com.sun.javaws.Main.access$000(Unknown Source)
                      at com.sun.javaws.Main$1.run(Unknown Source)
                      at java.lang.Thread.run(Unknown Source)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      1) Disable use of client certificates in IIS (set to IGNORE).

      OR

      2) Disable TLS 1.1 and 1.2 from the Java Control Panel on the Client.

        Attachments

        1. bad_TLS12_to_TLS10.trace
          173 kB
        2. bad_TLS12_to_TLS10.txt
          173 kB
        3. good_TLS10.trace
          60 kB
        4. good_TLS10.txt
          60 kB
        5. ssl_test_http_cient_42.zip
          122 kB
        6. tls11.reg
          0.9 kB
        7. tls12.reg
          0.9 kB

          Activity

            People

            • Assignee:
              igerasim Ivan Gerasimov
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: