Thanks very much, really appreciate it.
On Mon, Jan 4, 2016 at 5:14 PM, Kevin Rushforth <kevin.rushfo...@oracle.com>
wrote:
> We'll take a closer look at it then.
>
>
> -- Kevin
>
>
> Michael Ennen wrote:
>
> Kevin,
>
> After some further exploration I see that indeed certificate revocation
> does seem to be enabled through:
>
> Security.setProperty("ocsp.enable", "true");
> System.setProperty("com.sun.security.enableCRLDP", "true");
> System.setProperty("com.sun.net.ssl.checkRevocation", "true");
>
> However, this only seems to active CRL (as WireShark and oscp debug
> properties both show no OSCP related activity) and furthermore, and more
> importantly, this will cause JavaFX WebView to throw an SSL handshake
> failed message (which, by the way, could certainly be more informative and
> better implemented by passing along the exception cause Throwable instance)
> for apparent false-positives. That is, just try connected to, for
> example,https://www.coinbase.com/ with the 3 properties above enabled (it
> fails).
>
> Thanks,
>
> On Mon, Jan 4, 2016 at 3:23 PM, Kevin Rushforth <kevin.rushfo...@oracle.com>
> <kevin.rushfo...@oracle.com>
> wrote:
>
>
>
> Try the following:
>
> System.setProperty("com.sun.net.ssl.checkRevocation", "true");
>
> -- Kevin
>
>
> Michael Ennen wrote:
>
>
>
> Hello,
>
> I will keep this short and brief. If one attempts to use the WebView
> control to load the following page:
> https://revoked.grc.com/
>
> The page is loaded, SSL handshake completes successfully, and it is
> displayed and no exceptions are thrown
> (e.g. webView.getEngine().getLoadWorker().getException() is null) and the
> WorkerState goes to Worker.State.SUCCEEDED.
>
> However, the certificate of this page is indeed revoked.
>
> I understand that the WebView uses HttpsUrlConnection under the covers,
> and
> so I did some googling about OSCP/CRL (which are certificate revocation
> protocols, for lack of a better term). It seems that OSCP can be enabled
> via:
>
> Security.setProperty("ocsp.enable", "true");
>
> and, as a fallback, CRL can be enabled via:
>
> System.setProperty("com.sun.security.enableCRLDP", "true");
>
> However, neither of these make any difference in regards to the successful
> outcome posted above.
>
> One really disgusting workaround to this problem would be to write a
> TrustManager (which is extremely difficult in my estimation, and prone to
> error) that checks for certificate revocation (by using, for example,
> the sun.security.provider.certpath.OSCPChecker class) but since there is
> no
> way to hook into the validation check of an existing TrustManager, all of
> the existing functionality would have to be duplicated.
>
> Considering the WebView can be used essentially as a browser (especially
> given the fact that it is based on WebKit) I think this is quite a serious
> issue (and indeed is a serious issue for my particular application).
>
> Has anyone run into this problem and come up with a solution? Is this a
> known bug? Is there anything I can do to fix it?
>
> Thanks very much,
>
>
>
>
>
>
>
>
>
--
Michael Ennen
