預設情況下，Java更新會實施CRL檢查，以阻止NSP和訪客流

簡介

本檔案說明最新Java更新中斷使用存取控制清單(ACL)和重新導向之請求者布建以及部分訪客流程時發生的問題。

背景資訊

錯誤位於CiscoSPWDownloadFacilator中，並顯示「無法驗證證書」。將不會執行應用程式。

如果按一下More Information，您會收到抱怨證書撤銷清單(CRL)的輸出。

java.security.cert.CertificateException: java.security.cert.
CertPathValidatorException: java.io.IOException: DerInputStream.getLength(): 
lengthTag=127, too big.
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider
        (Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy
        (Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
	at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
	Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
		at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
		... 34 more
Caused by: java.security.cert.CertPathValidatorException: 
java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	... 35 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.util.DerInputStream.getLength(Unknown Source)
	at sun.security.util.DerValue.init(Unknown Source)
	at sun.security.util.DerValue.<init>(Unknown Source)
	at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
	... 38 more

問題

在最新版本的Java （版本7，更新25 ― 2013年8月5日發佈）中，Oracle引入了新的預設設定，強制客戶端根據任何CRL或線上證書狀態協定(OCSP)驗證與任何applet關聯的證書。

思科與這些applet關聯的簽名證書具有列出的CRL和OCSP與Thawte。由於這項新變更，當Java使用者端嘗試連線至Thawte時，連線埠ACL和/或重新導向ACL會封鎖該使用者端。

此問題在思科漏洞ID CSCui46739下跟蹤。

解決方案

選項1 -交換機或無線控制器端修復

1. 重寫任何重定向或基於埠的ACL，以允許流量到達Thawte和Verisign。遺憾的是，此選項有一個限制，即無法從域名建立ACL。
2. 手動解析CRL清單，並將其放入重新導向ACL中。

注意：如果客戶端需要透過防火牆進行通訊，則可能需要更新防火牆規則。

[user@user-linux logs]$ nslookup
> crl.thawte.com
Server:         64.102.6.247
Address:        64.102.6.247#53

Non-authoritative answer:
crl.thawte.com  canonical name = crl.ws.symantec.com.edgekey.net.
crl.ws.symantec.com.edgekey.net canonical name = e6845.ce.akamaiedge.net.
Name:   e6845.ce.akamaiedge.net
Address: 23.5.245.163

> ocsp.thawte.com
Server:         64.102.6.247
Address:        64.102.6.247#53

Non-authoritative answer:
ocsp.thawte.com canonical name = ocsp.verisign.net.
Name:   ocsp.verisign.net
Address: 199.7.48.72

如果這些DNS名稱變更且使用者端解析其他內容，請使用更新的位址重新寫入重新導向URL。

重定向ACL示例：

     5 remark ISE IP address
    10 deny ip any host X.X.X.X (467 matches)
    15 remark crl.thawte.com
    20 deny ip any host 23.5.245.163 (22 matches)
    25 remark ocsp.thawte.com
    30 deny ip any host 199.7.52.72
    40 deny udp any any eq domain (10 matches)
    50 permit tcp any any eq www (92 matches)
    60 permit tcp any any eq 443 (58 matches)

測試顯示OSCP和CRL URL解析為以下IP地址：

OCSP
199.7.48.72
199.7.51.72
199.7.52.72
199.7.55.72
199.7.54.72
199.7.57.72
199.7.59.72

CRL
23.4.53.163
23.5.245.163
23.13.165.163
23.60.133.163
23.61.69.163
23.61.181.163

這可能不是完整的清單，而且可能會根據地理區域而變更，因此必須測試以瞭解主機在每個執行處理中解析的IP位址。

選項2 -客戶端修復

在Java控制台的高級部分中，將執行證書吊銷檢查設定為不檢查（不推薦）。

   OSX：系統偏好設定> Java
           進階
           使用執行憑證撤銷：變更為「不檢查（不建議）」

   Windows：控制台> Java
           進階
           使用執行憑證撤銷：變更為「不檢查（不建議）」