We'll take a closer look at it then. -- Kevin
Michael Ennen wrote:
Kevin, After some further exploration I see that indeed certificate revocation does seem to be enabled through: Security.setProperty("ocsp.enable", "true"); System.setProperty("com.sun.security.enableCRLDP", "true"); System.setProperty("com.sun.net.ssl.checkRevocation", "true"); However, this only seems to active CRL (as WireShark and oscp debug properties both show no OSCP related activity) and furthermore, and more importantly, this will cause JavaFX WebView to throw an SSL handshake failed message (which, by the way, could certainly be more informative and better implemented by passing along the exception cause Throwable instance) for apparent false-positives. That is, just try connected to, for example, https://www.coinbase.com/ with the 3 properties above enabled (it fails). Thanks, On Mon, Jan 4, 2016 at 3:23 PM, Kevin Rushforth <kevin.rushfo...@oracle.com> wrote:Try the following: System.setProperty("com.sun.net.ssl.checkRevocation", "true"); -- Kevin Michael Ennen wrote:Hello, I will keep this short and brief. If one attempts to use the WebView control to load the following page: https://revoked.grc.com/ The page is loaded, SSL handshake completes successfully, and it is displayed and no exceptions are thrown (e.g. webView.getEngine().getLoadWorker().getException() is null) and the WorkerState goes to Worker.State.SUCCEEDED. However, the certificate of this page is indeed revoked. I understand that the WebView uses HttpsUrlConnection under the covers, and so I did some googling about OSCP/CRL (which are certificate revocation protocols, for lack of a better term). It seems that OSCP can be enabled via: Security.setProperty("ocsp.enable", "true"); and, as a fallback, CRL can be enabled via: System.setProperty("com.sun.security.enableCRLDP", "true"); However, neither of these make any difference in regards to the successful outcome posted above. One really disgusting workaround to this problem would be to write a TrustManager (which is extremely difficult in my estimation, and prone to error) that checks for certificate revocation (by using, for example, the sun.security.provider.certpath.OSCPChecker class) but since there is no way to hook into the validation check of an existing TrustManager, all of the existing functionality would have to be duplicated. Considering the WebView can be used essentially as a browser (especially given the fact that it is based on WebKit) I think this is quite a serious issue (and indeed is a serious issue for my particular application). Has anyone run into this problem and come up with a solution? Is this a known bug? Is there anything I can do to fix it? Thanks very much,
