Java untrusted applet security settings in Java Control Panel
I spend a good amount of time in the Internet Explorer/Windows Internet Options Control Panel Security tab adding URL’s to the trusted site list for Intranet or in the advanced tab, making modifications to allow certain kinds of scripting, etc. to run in order that web apps function correctly in end user’s web browsers. Anybody who has clean installed Windows Server is familiar with what I am talking about: out of the box, Windows Server Internet Explorer settings are completely locked down. I arrived at a problem the other day that was definitely related to web browser security, but that I could not fix from within Internet Explorer Internet Options/Internet settings. That was, I had a Java Applet that needed to run in my web browser, but that applet was being “blocked by security settings”. So I asked a friend, and here is what I found out…
Java has its own Control Panel (find this in Windows Control Panel> Java) – I knew that part, but in addition, there are settings here that prevent Java Applets from untrusted sources from running. You will this prompt, and then the following:
I couldn’t add the URL for the Web App into trusted sites in Internet Settings (because I did not have the Administrative privileges to do so). I could, however, go to Control Panel>Java>Security Tab>Edit Site List>Add, to add the URL to Java’s trusted site list, and this allowed the previously blocked Applet to run (after refreshing the page and allowing the Applet in the dialogue box “Do you want to run this application” (see below)).
Now I was able to use the Web App, where as previously it was blocked, leaving the web page with blank space and missing functionality. …. However…
A word of caution regarding making changes to Java Security: It can be a dangerous move. When lower Java Security beyond its recommended minimums, you add vulnerabilities to the Operating System. It is likened to opening a port on a firewall: proceed with caution. (In my situation I was adding an the URL for a location within the trusted internal network of an enterprise).
Java https connection — certificate untrusted + javax.net.ssl.SSLException: PKIX path building failed
On Start via HTTPS I get a Security Warning:
Do you want to Continue? The connection to this website is untrusted
Note: The certificate is not valid and cann not be used to verify the identity of this website.
More information -> Certificate shows that the SHA-1 finger print is the correct one (same as the one that the browser shows).
If I click continue, the application starts up and works fine beside one thing. Internally it uses apache.commons.httpclient
and there the exception is thrown:
DEBUG org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry:404|Closing the connection. DEBUG org.apache.commons.httpclient.HttpConnection.closeSocketAndStreams:1228|Exception caught when closing output javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source) at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source) at sun.security.ssl.AppOutputStream.write(Unknown Source) at java.io.BufferedOutputStream.flushBuffer(Unknown Source) at java.io.BufferedOutputStream.flush(Unknown Source) at java.io.FilterOutputStream.close(Unknown Source) at org.apache.commons.httpclient.HttpConnection.closeSocketAndStreams(HttpConnection.java:1226) at org.apache.commons.httpclient.HttpConnection.close(HttpConnection.java:1149) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:405) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at com.teamead.cs.sysmon.SendToServerRunnable.run(SendToServerRunnable.java:74) at com.teamead.cs.sysmon.SysMonHttpThreadTask.run(SysMonHttpThreadTask.java:40) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source) at sun.security.ssl.AppOutputStream.write(Unknown Source) at java.io.BufferedOutputStream.flushBuffer(Unknown Source) at java.io.BufferedOutputStream.flush(Unknown Source) at java.io.FilterOutputStream.flush(Unknown Source) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) . 5 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) . 20 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) . 26 more DEBUG org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry:434|Method retry handler returned false. Automatic recovery will not be attempted DEBUG org.apache.commons.httpclient.HttpConnection.releaseConnection:1178|Releasing connection back to connection manager. It simply seems that the certificate is not accepted.
But The certificate is signed by:
DigiCert High Assurance EV Root CA
-> DigiCert SHA2 High Assurance Server CA
—> Domain Certificate
I tried to import the Root Certificate «DigiCert High Assurance EV Root CA» into the Java Users castore: But that failed keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
I tried to import the Root Certificate «DigiCert High Assurance EV Root CA» into the Java JDK castore (as Admiistartor):
%JAVA_HOME%\bin\keytool -import -alias digicertRootCA -file C:\Users\USERNAME\DigiCertHighAssuranceEVRootCA.crt -keystore %JAVA_HOME%\lib\security\cacerts Than I tried to import the Intermediate Certificate «DigiCert SHA2 High Assurance Server CA» (That I exported form the Browser) into the Java JDK castore (as Admiistartor):
%JAVA_HOME%\bin\keytool -import -alias digicertServerCA -file C:\Users\USERNAME\DigiCertSHA2HighAssuranceServerCABrowserExport.crt -keystore %JAVA_HOME%\lib\security\cacerts With this certificate imported both problems went away.
- Why is it not working with the Root certificate form the chain?
- Is there a way to import only into the users ca store?
Troubleshooting Java HTTPS Security Warning Message
«This application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source.
The digital signature for this application was generated with a certificate from a trusted certificate authority, but we are unable to ensure that it was not revoked by that authority.»
From the certificate chain, we can see the local certificate was issued by Verisign G4, Verisign G4 certificate was issued by Verisign G5 (expiring date is Jul 16 2036).
Interesting thing is when I use Google Chrome, there is no warning at all. But I did found an Interesting thing on the Google Chrome session:
Solutions:
From previous More Information of warning message screenshot, we could find out it is coming from Java, since at the bottom, it lets us to visit Java.com for more details. Also it mentioned the certificate could not be verified if revoked before. This warning message must relate to Java’s TLS Revocation Settings.
I went back to Java Control Panel and found out there is one setting for «TLS Certificate Revocation». After changed it to Do not check. This warning message is gone.
Another solution for this is to change server side to use ssl only. I will keep post once get more information regarding this Java security warming message issue. If you have any better idea why Google Chrome is always fine before any change, please let me know. Appreciated it.
Troubleshooting Java HTTPS Security Warning Message Reviewed by ITProSec on Thursday, March 26, 2015 Rating: 5