JDK-8169117 : Code signing certificate revocation check is not working behind authenticated proxy
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u5
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_7
  • CPU: x86
  • Submitted: 2015-10-01
  • Updated: 2016-11-03
  • Resolved: 2016-11-03
Related Reports
Duplicate :  
JDK-8061648 - JavaWS fails with proxy autoconfig due to missing "dnsResolve"
Description
FULL PRODUCT VERSION :
Java Plug-in 11.5.2.13
Using JRE version 1.8.0_05-b13 Java HotSpot(TM) Client VM

EXTRA RELEVANT SYSTEM CONFIGURATION :
Windows OS, SQUID proxy with username / password authenticaton. NTLM is supported. 

A DESCRIPTION OF THE PROBLEM :
neither OCSP nor CRL based code signing certificate revocation check are not working behind authenticated proxy. 



THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: Did not try

THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Did not try

REGRESSION.  Last worked in version 8u5

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- ensure that either signer revocation check or full certificate revocation check is active in JCP advanced settings
- Applet is signed with a valid signer certificate (issued by Comodo) 
-CA is trusted
- Workstation is protected by proxy which requires autentication
-Applet loads with security prompt: "unable to ensure the certificate used to identify this application has not been revoked"

EXPECTED VERSUS ACTUAL BEHAVIOR :
- proxy authentication window is presendet OR
- browser proxy authentication is used OR
- Java proxy autentication presets and saved data is used
ERROR MESSAGES/STACK TRACES THAT OCCUR :
network: Connecting http://ocsp.comodoca.com/ with proxy=HTTP @ foo.com/10.232.118.138:3128
security: Failing over to CRLs: java.io.IOException: Server returned HTTP response code: 407 for URL: http://ocsp.comodoca.com
network: Cache entry not found [url: http://crl.comodoca.com/COMODOCodeSigningCA2.crl, version: null]
network: Connecting http://crl.comodoca.com/COMODOCodeSigningCA2.crl with proxy=HTTP @ foo.com/10.232.118.138:3128
ui: missing resource: java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key Revocation Status Unknown
security: Revocation Status Unknown
com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.io.IOException: Server returned HTTP response code: 407 for URL: http://ocsp.comodoca.com
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Domain policy restrict users to override default java security settings. Applet is not usable despite buying a legitimate code signing certificate.
Comments
Closing this as a duplicate of JDK-8061648 which has a fix for later version. Written back to the submitter for confirmation.
27-10-2016