1 2 3 4 5 Previous Next 71 Replies Latest reply: Nov 19, 2012 4:59 PM by EJP Go to original post RSS
      • 45. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
        924957
        Out of 31, 31 and 7u4, 32 is the best... well at least in my case.

        Edited by: OTTO IT on May 16, 2012 3:58 PM
        • 46. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
          937854
          But 6u30 doesn't have the issue at all ?
          • 47. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
            941785
            My company was having the same issues for both 6ur31 and r32. What I ended up doing was upgrading to Java version 7 r4. After the initial installation, I got the security alert, but after that, nothing. Goodluck all and I hope this helps.
            • 48. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
              932271
              Hi. the same issue after a clean install java 32. what to do?
              after a lot months are you able to fix the issue??
              thanks.
              • 49. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                944353
                Same error. Updated from 6R30 to 7R4. After logging on with a basic user account to our squid proxyied client I observed the raw connection logs for that PC.

                According to our proxy, the client is allow to connect to https://crl.usertrust.com:443 automatcially (JRE updates disabled so this must be a normal internal process of JAVA - something I am not happy with as I try to keep traffic to a minimum!)

                *2012.6.18 14:49:23 - 10.1.5.1 https://javadl-esd-secure.oracle.com:443 EXCEPTION Exception site match. CONNECT 1849 0 1 200 - default -*
                *2012.6.18 14:49:24 - 10.1.5.1 http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR0fzwAGHvPgR0qWvkJGdfHRUARnAQUr6RAr58W%2Fqsx%2FfvVl4v1kaMkhhYCEQDyHTNjpDsZqeptZbDoVJYh EXCEPTION Exception site match. GET 2273 0 1 200 - default -*
                *2012.6.18 14:49:24 - 10.1.5.1 http://crl.usertrust.com/USERTrustLegacySecureServerCA.crl EXCEPTION Exception site match. GET 1933 0 1 200 - default -*
                *2012.6.18 14:49:24 <username> 10.1.5.1 https://javadl-esd-secure.oracle.com:443 EXCEPTION Exception site match. CONNECT 3828 0 2 200 - staff -*

                Nothing else appears to go through the proxy, and the "revocation information for the security certificate...." error still pops up. I suspect something is trying to avoid the proxy (we dont bother logging, mainly google toolbar updates try to avoid the proxy along with unconfigured devices)

                I suppose I could install the certificate then extract and send it out via GPO to our hundreds of PCs but why should I? This didnt happen pre java update.

                Edited by: 941350 on 18-Jun-2012 07:00

                Edited by: 941350 on 18-Jun-2012 07:01
                • 50. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                  944353
                  Fixed via GPO by disabling updates AND updatecheck:

                  I suspect it is the updatecheck that is causing the CRL validation to occur although I am happy to disable all updates to be honest.

                  Hive HKEY_LOCAL_MACHINE

                  Key path SOFTWARE\JavaSoft\Java Update\Policy

                  Value name EnableJavaUpdate

                  Value type REG_DWORD

                  Value data 0x0 (0)


                  Hive HKEY_LOCAL_MACHINE

                  Key path SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\

                  Value name EnableJavaUpdate

                  Value type REG_DWORD

                  Value data 0x0 (0)


                  Hive HKEY_LOCAL_MACHINE

                  Key path SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy

                  Value name EnableAutoUpdateCheck

                  Value type REG_DWORD

                  Value data 0x0 (0)


                  Hive HKEY_LOCAL_MACHINE

                  Key path SOFTWARE\JavaSoft\Java Update\Policy

                  Value name EnableAutoUpdateCheck

                  Value type REG_DWORD

                  Value data 0x0 (0)
                  • 51. Windows 7 Professional 64-bit with JDK/JRE 7u4 installed same problem
                    945842
                    Popup - Security Alert
                    Revocation information for the security certificate for this site is not
                    available. Do you want to proceed?

                    Yes/No/View Certificate buttons


                    Here's the tail of my justsched.log file.

                    .
                    .
                    Mon Jun 25 19:42:00 2012
                    :: Timeout occured. Run Java update [Critical] now.

                    Mon Jun 25 19:42:00 2012
                    :: Time for a Java Update [Critical] check.

                    Tue Jun 26 04:15:15 2012
                    :: JavaUpdate [Critical] : Current time is <4 days past last scheduled time, Setting sleeptime to next 1hr window (7 hour delay): Tue Jun 26 09:42:00 2012

                    Tue Jun 26 04:15:15 2012
                    :: JavaUpdate : LastFinishTime is after LastScheduledTime, sleeping until next schedule Time: Sun Jul 01 11:23:00 2012

                    Tue Jun 26 04:15:15 2012
                    :: JavaUpdate [Critical] NextSchedTime=Mon Jul 02 19:42:00 2012
                    JavaFXUpdate NextSchedTime=Sun Jul 01 11:23:00 2012
                    JavaUpdate [Critical]lastSchedTime=Mon Jun 25 19:42:00 2012
                    JavaUpdate [Critical]nextSchedTime=Mon Jul 02 19:42:00 2012
                    JavaUpdate [Critical]sleeptime (sec=19605, hours=5, days=0.23)
                    actual sleep time=19605000 msecs (5:26:45) for JavaUpdate [Critical]


                    cURL report for command

                    curl --trace -ascii curl.out "https://javadl-esd-secure.oracle.com/update/1.7.0/map-m-1.7.0.xml"

                    is

                    curl: (60) SSL certificate problem: self signed certificate in certificate chain

                    More details here: http://curl.haxx.se/docs/sslcerts.html

                    curl performs SSL certificate verification by default, using a "bundle"
                    of Certificate Authority (CA) public keys (CA certs). If the default
                    bundle file isn't adequate, you can specify an alternate file
                    using the --cacert option.
                    If this HTTPS server uses a certificate signed by a CA represented in
                    the bundle, the certificate verification probably failed due to a
                    problem with the certificate (it might be expired, or the name might
                    not match the domain name in the URL).
                    If you'd like to turn off curl's verification of the certificate, use
                    the -k (or --insecure) option.

                    adding -k output is:

                    <?xml version="1.0" encoding="ISO-8859-1" standalone="yes" ?>

                    <java-update-map version="1.0">
                    <mapping>
                    <version>1.6.0_18</version>
                    <os>win7, winvista, win2008R2, winlong</os>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-uac-1.6.0_20-b76.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_18</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_19</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_20</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_21</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_22</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_23</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_24</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_25</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_26</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_27</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_28</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_29</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_30</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_31</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.6.0_32</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.7.0</version>
                    <url>http://javadl-esd.sun.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml
                    </url>
                    </mapping>
                    <mapping>
                    <version>1.7.0_01</version>
                    <url>http://javadl-esd.sun.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml
                    </url>
                    </mapping>
                    <mapping>
                    <version>1.7.0_02</version>
                    <url>http://javadl-esd.sun.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml
                    </url>
                    </mapping>
                    <mapping>
                    <version>1.7.0_03</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>
                    <mapping>
                    <version>1.7.0_04</version>
                    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
                    </mapping>

                    </java-update-map>

                    and an 11.7kB curl.out file that I'll email to RogerL.

                    Connection to https://crl.usertrust.com results in Firefox 13.0.1 presenting an error page Untrusted Connection.
                    Upon expanding "Technical Details" one sees:

                    crl.usertrust.com uses an invalid security certificate.

                    The certificate is only valid for the following names:
                    www.comodo.com , comodo.com

                    (Error code: ssl_error_bad_cert_domain)


                    Looks like they put the wrong site name in the certificate for crl.usertrust.com

                    Edited by: 942839 on Jun 26, 2012 3:39 AM
                    • 52. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                      948224
                      I'm having this issue on my machine when I came in as well, and I have 6 update 30 (build 1.6.0_30-br12). However it happens to a lot of machines here update 30 or newer.

                      Yes .usertrust.com has an invalid certificate. How do we get it to their attention? Its because they redirect to comodo.com.

                      I just added javadl-esd-secure.oracle.com and *.usertrust.com to the allowed domains category in our webfilter (cisco ironport) to see if that helps any.
                      • 53. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                        damorgan
                        To reproduce it just download the nine "critical" updates Microsoft released in the last 24 hours.

                        I can't tell you which one is responsible though there is a nice article at Ars Technica you might wish to read titled "Microsoft kills more code-signing certs to stop Flame-like attacks."
                        http://arstechnica.com/security/2012/07/microsoft-certs-nixed-to-stop-flame/

                        Looks like my friends down the street are at it again throwing code over the cubicle wall and letting everyone out here Beta test it for them.
                        • 54. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                          Rogerl-Oracle
                          Please see this bug that has been opened:
                          http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7183043
                          • 55. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                            948224
                            Thanks Roger.

                            I hope this gets resolved soon. We are wasting support calls on this and when we can't fix a problem it makes us look bad.
                            • 56. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                              949393
                              We are getting this error attempting to install jre-6u33-windows-i586.exe on many machines.

                              CRL problem is with a java.com site: sjremetrics.java.com

                              Please fix...
                              • 57. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                                949393
                                FWIW, the error referenced above with the revocation error for sjremetrics.java.com when installing jre-6u33-windows-i586.exe seems to occur predominately on 64-bit machines (ie, installing the 32-bit jre on 64-bit machines).
                                • 58. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                                  948224
                                  I am now getting this on my HOME computer as well! I thought maybe this was just a corporate problem with webfilters, firewall egress filtering, and other connection issues pulling the CRL from the internet.

                                  But no, my home pc on a residential cable modem gave me the same exact error that I am seeing in the business world at work.

                                  Home PC is running Windows 7 32-bit. The error message comes up right at log on.

                                  Why hasn't anything been done to correct this problem? Now the home user market is experiencing the issue. Even those people who have little to no technical knowledge or support. This has to be corrected.
                                  • 59. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
                                    921255
                                    We have Java 7u5 and 6u33 and are still seeing the problem that we started this thread with MONTHS ago ....Our fix is that we are starting to strip Java off machines where it is not absolutely critical to have it.

                                    Anyone else having any luck?