java-web-startocsp

Java Web Start: Certificate does not specify OCSP responder

I try to connect with Java 8 via HTTPS to a JNLP file on a an intranet server which has a self-signed TLS certificate.

When Java Web Start tries to load the first resource (a file from that server) specified in the JNLP try, it throws an exception:

javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at sun.security.ssl.Alerts.getSSLException(Unknown Source)

...

Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 39 more
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
    at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
    ... 46 more

Any idea?

Indeed we did not specify the OCSP responder. But is this really a problem? Interestingly this works on the machine of my workmates (they only get a warning). Some days ago I temporarily installed Java 9 to test something. Is it possible that this mixed something up? I uninstalled it again, btw.

My current workaround is to set “Perform TLS certificate revocation checks on” in the Java Control Panel (Tab “Advanced”) to “Do not check (not recommended)”. But I do not like that.

Solution

  • I got past this today, was just an issue with my certificates - recreated my Keystore, but my truststore was missing the new root/intermediate cert that was specified in the website's certificate. I went back and added the certs to the truststore and restarted the site, and it worked.

    keytool -import -trustcacerts -alias root -file NewRoot.cer -keystore cacerts

    keytool -import -trustcacerts -alias "Intermed Name Here" -file NewInt.cer -keystore cacerts

    -- I was going down a dead-end chasing the OCSP responder when Java was really checking CRL and OCSP, in that order. Fixing the Truststore / CAs was really all that was needed.

    Brent