Thanks very much, really appreciate it. On Mon, Jan 4, 2016 at 5:14 PM, Kevin Rushforth <kevin.rushfo...@oracle.com> wrote:
> We'll take a closer look at it then. > > > -- Kevin > > > Michael Ennen wrote: > > Kevin, > > After some further exploration I see that indeed certificate revocation > does seem to be enabled through: > > Security.setProperty("ocsp.enable", "true"); > System.setProperty("com.sun.security.enableCRLDP", "true"); > System.setProperty("com.sun.net.ssl.checkRevocation", "true"); > > However, this only seems to active CRL (as WireShark and oscp debug > properties both show no OSCP related activity) and furthermore, and more > importantly, this will cause JavaFX WebView to throw an SSL handshake > failed message (which, by the way, could certainly be more informative and > better implemented by passing along the exception cause Throwable instance) > for apparent false-positives. That is, just try connected to, for > example,https://www.coinbase.com/ with the 3 properties above enabled (it > fails). > > Thanks, > > On Mon, Jan 4, 2016 at 3:23 PM, Kevin Rushforth <kevin.rushfo...@oracle.com> > <kevin.rushfo...@oracle.com> > wrote: > > > > Try the following: > > System.setProperty("com.sun.net.ssl.checkRevocation", "true"); > > -- Kevin > > > Michael Ennen wrote: > > > > Hello, > > I will keep this short and brief. If one attempts to use the WebView > control to load the following page: > https://revoked.grc.com/ > > The page is loaded, SSL handshake completes successfully, and it is > displayed and no exceptions are thrown > (e.g. webView.getEngine().getLoadWorker().getException() is null) and the > WorkerState goes to Worker.State.SUCCEEDED. > > However, the certificate of this page is indeed revoked. > > I understand that the WebView uses HttpsUrlConnection under the covers, > and > so I did some googling about OSCP/CRL (which are certificate revocation > protocols, for lack of a better term). It seems that OSCP can be enabled > via: > > Security.setProperty("ocsp.enable", "true"); > > and, as a fallback, CRL can be enabled via: > > System.setProperty("com.sun.security.enableCRLDP", "true"); > > However, neither of these make any difference in regards to the successful > outcome posted above. > > One really disgusting workaround to this problem would be to write a > TrustManager (which is extremely difficult in my estimation, and prone to > error) that checks for certificate revocation (by using, for example, > the sun.security.provider.certpath.OSCPChecker class) but since there is > no > way to hook into the validation check of an existing TrustManager, all of > the existing functionality would have to be duplicated. > > Considering the WebView can be used essentially as a browser (especially > given the fact that it is based on WebKit) I think this is quite a serious > issue (and indeed is a serious issue for my particular application). > > Has anyone run into this problem and come up with a solution? Is this a > known bug? Is there anything I can do to fix it? > > Thanks very much, > > > > > > > > > -- Michael Ennen