FULL PRODUCT VERSION :
JDK 1.7 update 5
ADDITIONAL OS VERSION INFORMATION :
Windows 7, and probably all other OSes
A DESCRIPTION OF THE PROBLEM :
Bug report 7127374 gives most of the lower-level details. This bug was closed as not a defect. This is incorrect, and the bug is rendering jarsigner unusable in Java 7. The workarounds listed there are not available with jarsigner.
However, this bug report is specifically about jarsigner.
In particular, the person who closed the defect failed to understand the situation.
He states: ""https://timestamp.geotrust.com/tsa", with IE and Firefox. Both shows no page found."
That is the intended behavior of this TSA. It explicitly is returning that respond, and the browsers ARE SHOWING THE RESPONSE. For this to happen, the browsers must first be establishing the SSL connection; therefore the statement made in the report is correct, and the person who closed it is incorrect. This has always been the behavior of this URL, yet it continues to work correctly with Java 6's jarsigner.
In Java 7, on the other hand, Jarsigner simply dies with:
jarsigner: unable to sign jar: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
We cannot ship (or even test) our product signed without a timestamp. This is the URL provided us by our certificate vendor (Verisign). I strongly suspect this is the most widely-used TSA for signing Java code.
Jarsigner has no option for setting jsse.enableSNIExtension=false, so this workaround is unavailable, as are the other two.
The only workarounds are to use Java 6's jarsigner, or to find a TSA that does not send this response.
An documented option to jarsigner to disable this would suffice.
REGRESSION. Last worked in version 6u31
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Sign a jar file with jarsigner, supplying -tsa https://timestamp.geotrust.com/tsa
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The signed jar file with timestamp from the TSA.
ACTUAL -
jarsigner: unable to sign jar: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
ERROR MESSAGES/STACK TRACES THAT OCCUR :
jarsigner: unable to sign jar: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use Java 6