JavaFX WebView TLS/SSL Certificate Revocation Check
Michael Ennen
mike.ennen at gmail.com
Tue Jan 5 00:03:06 UTC 2016
Kevin,
After some further exploration I see that indeed certificate revocation
does seem to be enabled through:
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
However, this only seems to active CRL (as WireShark and oscp debug
properties both show no OSCP related activity) and furthermore, and more
importantly, this will cause JavaFX WebView to throw an SSL handshake
failed message (which, by the way, could certainly be more informative and
better implemented by passing along the exception cause Throwable instance)
for apparent false-positives. That is, just try connected to, for example,
https://www.coinbase.com/ with the 3 properties above enabled (it fails).
Thanks,
On Mon, Jan 4, 2016 at 3:23 PM, Kevin Rushforth <kevin.rushforth at oracle.com>
wrote:
> Try the following:
>
> System.setProperty("com.sun.net.ssl.checkRevocation", "true");
>
> -- Kevin
>
>
> Michael Ennen wrote:
>
>> Hello,
>>
>> I will keep this short and brief. If one attempts to use the WebView
>> control to load the following page:
>>
>> https://revoked.grc.com/
>>
>> The page is loaded, SSL handshake completes successfully, and it is
>> displayed and no exceptions are thrown
>> (e.g. webView.getEngine().getLoadWorker().getException() is null) and the
>> WorkerState goes to Worker.State.SUCCEEDED.
>>
>> However, the certificate of this page is indeed revoked.
>>
>> I understand that the WebView uses HttpsUrlConnection under the covers,
>> and
>> so I did some googling about OSCP/CRL (which are certificate revocation
>> protocols, for lack of a better term). It seems that OSCP can be enabled
>> via:
>>
>> Security.setProperty("ocsp.enable", "true");
>>
>> and, as a fallback, CRL can be enabled via:
>>
>> System.setProperty("com.sun.security.enableCRLDP", "true");
>>
>> However, neither of these make any difference in regards to the successful
>> outcome posted above.
>>
>> One really disgusting workaround to this problem would be to write a
>> TrustManager (which is extremely difficult in my estimation, and prone to
>> error) that checks for certificate revocation (by using, for example,
>> the sun.security.provider.certpath.OSCPChecker class) but since there is
>> no
>> way to hook into the validation check of an existing TrustManager, all of
>> the existing functionality would have to be duplicated.
>>
>> Considering the WebView can be used essentially as a browser (especially
>> given the fact that it is based on WebKit) I think this is quite a serious
>> issue (and indeed is a serious issue for my particular application).
>>
>> Has anyone run into this problem and come up with a solution? Is this a
>> known bug? Is there anything I can do to fix it?
>>
>> Thanks very much,
>>
>>
>>
>>
>>
>
--
Michael Ennen
More information about the openjfx-dev
mailing list