本檔案說明最新Java更新中斷使用存取控制清單(ACL)和重新導向之請求者布建以及部分訪客流程時發生的問題。
錯誤位於CiscoSPWDownloadFacilator中,並顯示「無法驗證證書」。將不會執行應用程式。
如果按一下More Information,您會收到抱怨證書撤銷清單(CRL)的輸出。
java.security.cert.CertificateException: java.security.cert.
CertPathValidatorException: java.io.IOException: DerInputStream.getLength():
lengthTag=127, too big.
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider
(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy
(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement
(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile
(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000
(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen
(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 34 more
Caused by: java.security.cert.CertPathValidatorException:
java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
... 35 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.util.DerInputStream.getLength(Unknown Source)
at sun.security.util.DerValue.init(Unknown Source)
at sun.security.util.DerValue.<init>(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
... 38 more
在最新版本的Java (版本7,更新25 ― 2013年8月5日發佈)中,Oracle引入了新的預設設定,強制客戶端根據任何CRL或線上證書狀態協定(OCSP)驗證與任何applet關聯的證書。
思科與這些applet關聯的簽名證書具有列出的CRL和OCSP與Thawte。由於這項新變更,當Java使用者端嘗試連線至Thawte時,連線埠ACL和/或重新導向ACL會封鎖該使用者端。
此問題在思科漏洞ID CSCui46739下跟蹤。
[user@user-linux logs]$ nslookup
> crl.thawte.com
Server: 64.102.6.247
Address: 64.102.6.247#53
Non-authoritative answer:
crl.thawte.com canonical name = crl.ws.symantec.com.edgekey.net.
crl.ws.symantec.com.edgekey.net canonical name = e6845.ce.akamaiedge.net.
Name: e6845.ce.akamaiedge.net
Address: 23.5.245.163
> ocsp.thawte.com
Server: 64.102.6.247
Address: 64.102.6.247#53
Non-authoritative answer:
ocsp.thawte.com canonical name = ocsp.verisign.net.
Name: ocsp.verisign.net
Address: 199.7.48.72
如果這些DNS名稱變更且使用者端解析其他內容,請使用更新的位址重新寫入重新導向URL。
重定向ACL示例:
5 remark ISE IP address
10 deny ip any host X.X.X.X (467 matches)
15 remark crl.thawte.com
20 deny ip any host 23.5.245.163 (22 matches)
25 remark ocsp.thawte.com
30 deny ip any host 199.7.52.72
40 deny udp any any eq domain (10 matches)
50 permit tcp any any eq www (92 matches)
60 permit tcp any any eq 443 (58 matches)
測試顯示OSCP和CRL URL解析為以下IP地址:
OCSP
199.7.48.72
199.7.51.72
199.7.52.72
199.7.55.72
199.7.54.72
199.7.57.72
199.7.59.72
CRL
23.4.53.163
23.5.245.163
23.13.165.163
23.60.133.163
23.61.69.163
23.61.181.163
這可能不是完整的清單,而且可能會根據地理區域而變更,因此必須測試以瞭解主機在每個執行處理中解析的IP位址。
在Java控制台的高級部分中,將執行證書吊銷檢查設定為不檢查(不推薦)。
OSX:系統偏好設定> Java
進階
使用執行憑證撤銷:變更為「不檢查(不建議)」
Windows:控制台> Java
進階
使用執行憑證撤銷:變更為「不檢查(不建議)」
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
05-Aug-2013 |
初始版本 |