1

I have a Java applet that is signed that loads perfectly fine in v7u67 but with v7u71 it no longer loads. Additionally, the applet still loads fine in v7u71 on my testing server which is on the local machine although the JARs and <object> tags are the quite similar. In both cases the website is accessed with HTTPS (although the testing server uses a self-signed certificate for HTTPS).

The complete trace/debug log is available at http://pastebin.com/7JNavVVq with the cliff-notes below.

security: Expected Main URL: https://popcornmanager.com/manager/grid.1.2.8e.jar
basic: Plugin2ClassLoader.addURL parent called for https://popcornmanager.com/manager/grid.1.2.8e.jar
security: Accessing keys and certificate in Mozilla user profile: null
security: JSS is not configured
network: Cache entry not found [url: https://popcornmanager.com/manager/grid.1.2.8e.jar, version: null]
network: Connecting https://popcornmanager.com/manager/grid.1.2.8e.jar with proxy=DIRECT
network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre7/lib/ext/sunec.jar, version: null]
basic: Loading Java Applet ...
network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre7/lib/ext/sunjce_provider.jar, version: null]
network: Connecting http://popcornmanager.com:443/ with proxy=DIRECT
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Obtain certificate collection in SSL Root CA certificate store {x2}
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loaded blacklisted.certs file: D:\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
security: SHA-256Certificate finger print: E0E41A12187A9196056D01CC1774D98FED57B0B6FD8A035C815C35073EB0A54B
security: SHA-256Certificate finger print: 09ED6E991FC3273D8FEA317D339C02041861973549CFA6E1558F411F11211AA3
security: SHA-256Certificate finger print: 18F8A7A151B4EC280898093DF5BD537CA099CC277405D0281DE0DADFD14420DA
security: SHA-256Certificate finger print: 58D017279CD4DC63ABDDB196A6C9906C30C4E08783EAE8C1609954D69355596B
security: Checking if SSL certificate is in Deployment permanent certificate store
security: Obtain certificate collection in SSL Root CA certificate store {x4}
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    ...
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    ...
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    ...
[try to load https://popcornmanager.com/manager/grid.1.2.8e.jar again]
[try to load https://popcornmanager.com/manager/com/popcornmanager/datagrid/DataGrid.class as above but doesn't throw an exception, twice]

java.lang.ClassNotFoundException: com.popcornmanager.datagrid.DataGrid
    ...
basic: load: class com.popcornmanager.datagrid.DataGrid not found.
java.lang.ClassNotFoundException: com.popcornmanager.datagrid.DataGrid
    ...
Ignored exception: java.lang.ClassNotFoundException: com.popcornmanager.datagrid.DataGrid
basic: Dialog type is not candidate for embedding
security: Reset deny session certificate store
basic: Removed progress listener: sun.plugin.util.ProgressMonitorAdapter@764254
security: Reset deny session certificate store

It appears that some certificate is not valid according to Java's rules, but v7u67 did think it was valid. I can't tell if its the HTTPS certificate of the code-signing certificate (both of which are valid). The HTTPS passes the browsers' validation tests.

A test can be seen at https://popcornmanager.com/test/TestDataGrid.php.

What I have looked into:

  • Tried Chrome, Firefox, and IE on Windows and all show the same symptoms.
  • Tried <applet> and <object> tags, with and without the .class in the code path.
  • Looked through all the bugs fixed in the update and none seem to explain this change in behavior.
  • Setting Java security settings to minimum ("Medium"), adding the site to the exception list, and have manually added the HTTPS certificate to the Java certificates (it looks like the code certificate was automatically added when I clicked "Remember" in a security dialog).
coderforlife
  • 1,378
  • 18
  • 31
  • 1
    The output seems to suggest that the problem is with the code-signing certificate and not the SSL certificate. Have you verified that the root CA of the code-signing certificate is in Java's list of known CAs? Perhaps that list changed between update 67 and update 71. – VGR Oct 28 '14 at 17:16
  • The ultimate root CA is "AddTrust External CA Root" which I can find in both 7u45 and 7u71 list of roots (didn't have 7u67 immediately available). List using http://stackoverflow.com/questions/3508050/how-can-i-get-a-list-of-trusted-root-certificates-in-java. The entries are identical. Is there any way to better determine what certificate is causing the problem and why? Should I contact the issuer of the code-signing certificate (it is still valid)? – coderforlife Oct 30 '14 at 02:16
  • 1
    Oops. I just noticed that your topmost exception is an SSLHandshakeException, which suggests a problem with the HTTPS certificate and not the code signing certificate. However, I just wrote a tiny program that gives your .jar to a URLClassLoader, and `classLoader.loadClass("com.popcornmanager.datagrid.DataGrid")` worked perfectly for me, using Java 1.7.0_72. – VGR Oct 30 '14 at 11:40
  • I have given up on this. Still has problems with 1.7.0_71/1.7.0_72 but the Java 8 released on the same day (1.8.0_25) works so I will just recommend people move over to Java 8. Thanks for you help. – coderforlife Jan 06 '15 at 01:24

1 Answers1

2

Look in your JAVA Advanced Settings panel settings and try checking TLS 1.0 and un-checking TLS 1.1 and TLS 1.2.

I have been fighting an issue where my employer's IT people pushed JAVA JRE 8 u92 to my development machine and I could no longer access the application that we develop and store on a test server.

This has been happening to me every 6 to 12 months for several years, and I keep uninstalling their latest JRE and reinstalling a version 7u55, which fixes the issue. It began when they updated me from 7u55 to 7u71 or 72 as best as I can recall.

This time I wanted to keep investigating and trying things to see if I could figure out WHY it always breaks with a newer JRE. I had tried everything I could find, posted by multiple people dating back 3 years on threads, and NOTHING ever worked until I saw an anonymous post from someone on Source Forge.

My setup had TLS 1.0, 1.1, and 1.2 all checked. The person said in theory that that is supposed to be okay and the server should have selected whichever one it wanted. But simply un-checking 1.1 and 1.2 got me back up and running!

However, there is still a big mystery. I double checked and my colleague’s laptop has TLS 1.0, 1.1 and 1.2 checked and hers can run our applications just fine with the new JRE 8u92 update! She has the same laptop model, same OS, same version of IE11, same version of JAVA, all the same settings in the JAVA panel as I had (prior to modifying my TLS), same settings in IE, same trusted sites, etc. We can find no reason for one of them to behave differently than the other. Anyone who has been having similar issues should definitely try unchecking TLS1.1 and 1.2 in their JAVA Advanced Settings panel. Thanks a bunch to the above anonymous person. I had spent 5 entire work days fighting with this this time around (and I have fought with it every time they update me, trying to find a solution other than rolling back to a really old 7u55 JRE!

Shonn E
  • 21
  • 2