This discussion is archived
1 2 3 4 5 Previous Next 71 Replies Latest reply: Nov 19, 2012 2:59 PM by EJP Go to original post RSS
  • 45. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    924957 Newbie
    Currently Being Moderated
    Out of 31, 31 and 7u4, 32 is the best... well at least in my case.

    Edited by: OTTO IT on May 16, 2012 3:58 PM
  • 46. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    937854 Newbie
    Currently Being Moderated
    But 6u30 doesn't have the issue at all ?
  • 47. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    941785 Newbie
    Currently Being Moderated
    My company was having the same issues for both 6ur31 and r32. What I ended up doing was upgrading to Java version 7 r4. After the initial installation, I got the security alert, but after that, nothing. Goodluck all and I hope this helps.
  • 48. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    932271 Newbie
    Currently Being Moderated
    Hi. the same issue after a clean install java 32. what to do?
    after a lot months are you able to fix the issue??
    thanks.
  • 49. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    944353 Newbie
    Currently Being Moderated
    Same error. Updated from 6R30 to 7R4. After logging on with a basic user account to our squid proxyied client I observed the raw connection logs for that PC.

    According to our proxy, the client is allow to connect to https://crl.usertrust.com:443 automatcially (JRE updates disabled so this must be a normal internal process of JAVA - something I am not happy with as I try to keep traffic to a minimum!)

    *2012.6.18 14:49:23 - 10.1.5.1 https://javadl-esd-secure.oracle.com:443 EXCEPTION Exception site match. CONNECT 1849 0 1 200 - default -*
    *2012.6.18 14:49:24 - 10.1.5.1 http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR0fzwAGHvPgR0qWvkJGdfHRUARnAQUr6RAr58W%2Fqsx%2FfvVl4v1kaMkhhYCEQDyHTNjpDsZqeptZbDoVJYh EXCEPTION Exception site match. GET 2273 0 1 200 - default -*
    *2012.6.18 14:49:24 - 10.1.5.1 http://crl.usertrust.com/USERTrustLegacySecureServerCA.crl EXCEPTION Exception site match. GET 1933 0 1 200 - default -*
    *2012.6.18 14:49:24 <username> 10.1.5.1 https://javadl-esd-secure.oracle.com:443 EXCEPTION Exception site match. CONNECT 3828 0 2 200 - staff -*

    Nothing else appears to go through the proxy, and the "revocation information for the security certificate...." error still pops up. I suspect something is trying to avoid the proxy (we dont bother logging, mainly google toolbar updates try to avoid the proxy along with unconfigured devices)

    I suppose I could install the certificate then extract and send it out via GPO to our hundreds of PCs but why should I? This didnt happen pre java update.

    Edited by: 941350 on 18-Jun-2012 07:00

    Edited by: 941350 on 18-Jun-2012 07:01
  • 50. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    944353 Newbie
    Currently Being Moderated
    Fixed via GPO by disabling updates AND updatecheck:

    I suspect it is the updatecheck that is causing the CRL validation to occur although I am happy to disable all updates to be honest.

    Hive HKEY_LOCAL_MACHINE

    Key path SOFTWARE\JavaSoft\Java Update\Policy

    Value name EnableJavaUpdate

    Value type REG_DWORD

    Value data 0x0 (0)


    Hive HKEY_LOCAL_MACHINE

    Key path SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\

    Value name EnableJavaUpdate

    Value type REG_DWORD

    Value data 0x0 (0)


    Hive HKEY_LOCAL_MACHINE

    Key path SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy

    Value name EnableAutoUpdateCheck

    Value type REG_DWORD

    Value data 0x0 (0)


    Hive HKEY_LOCAL_MACHINE

    Key path SOFTWARE\JavaSoft\Java Update\Policy

    Value name EnableAutoUpdateCheck

    Value type REG_DWORD

    Value data 0x0 (0)
  • 51. Windows 7 Professional 64-bit with JDK/JRE 7u4 installed same problem
    945842 Newbie
    Currently Being Moderated
    Popup - Security Alert
    Revocation information for the security certificate for this site is not
    available. Do you want to proceed?

    Yes/No/View Certificate buttons


    Here's the tail of my justsched.log file.

    .
    .
    Mon Jun 25 19:42:00 2012
    :: Timeout occured. Run Java update [Critical] now.

    Mon Jun 25 19:42:00 2012
    :: Time for a Java Update [Critical] check.

    Tue Jun 26 04:15:15 2012
    :: JavaUpdate [Critical] : Current time is <4 days past last scheduled time, Setting sleeptime to next 1hr window (7 hour delay): Tue Jun 26 09:42:00 2012

    Tue Jun 26 04:15:15 2012
    :: JavaUpdate : LastFinishTime is after LastScheduledTime, sleeping until next schedule Time: Sun Jul 01 11:23:00 2012

    Tue Jun 26 04:15:15 2012
    :: JavaUpdate [Critical] NextSchedTime=Mon Jul 02 19:42:00 2012
    JavaFXUpdate NextSchedTime=Sun Jul 01 11:23:00 2012
    JavaUpdate [Critical]lastSchedTime=Mon Jun 25 19:42:00 2012
    JavaUpdate [Critical]nextSchedTime=Mon Jul 02 19:42:00 2012
    JavaUpdate [Critical]sleeptime (sec=19605, hours=5, days=0.23)
    actual sleep time=19605000 msecs (5:26:45) for JavaUpdate [Critical]


    cURL report for command

    curl --trace -ascii curl.out "https://javadl-esd-secure.oracle.com/update/1.7.0/map-m-1.7.0.xml"

    is

    curl: (60) SSL certificate problem: self signed certificate in certificate chain

    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.

    adding -k output is:

    <?xml version="1.0" encoding="ISO-8859-1" standalone="yes" ?>

    <java-update-map version="1.0">
    <mapping>
    <version>1.6.0_18</version>
    <os>win7, winvista, win2008R2, winlong</os>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-uac-1.6.0_20-b76.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_18</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_19</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_20</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_21</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_22</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_23</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_24</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_25</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_26</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.6.0/au-descriptor-1.6.0_33-b70.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_27</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_28</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_29</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_30</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_31</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>
    <mapping>
    <version>1.6.0_32</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>
    <mapping>
    <version>1.7.0</version>
    <url>http://javadl-esd.sun.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml
    </url>
    </mapping>
    <mapping>
    <version>1.7.0_01</version>
    <url>http://javadl-esd.sun.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml
    </url>
    </mapping>
    <mapping>
    <version>1.7.0_02</version>
    <url>http://javadl-esd.sun.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml
    </url>
    </mapping>
    <mapping>
    <version>1.7.0_03</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>
    <mapping>
    <version>1.7.0_04</version>
    <url>https://javadl-esd-secure.oracle.com/update/1.7.0/au-descriptor-1.7.0_05-b72.xml</url>
    </mapping>

    </java-update-map>

    and an 11.7kB curl.out file that I'll email to RogerL.

    Connection to https://crl.usertrust.com results in Firefox 13.0.1 presenting an error page Untrusted Connection.
    Upon expanding "Technical Details" one sees:

    crl.usertrust.com uses an invalid security certificate.

    The certificate is only valid for the following names:
    www.comodo.com , comodo.com

    (Error code: ssl_error_bad_cert_domain)


    Looks like they put the wrong site name in the certificate for crl.usertrust.com

    Edited by: 942839 on Jun 26, 2012 3:39 AM
  • 52. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    948224 Newbie
    Currently Being Moderated
    I'm having this issue on my machine when I came in as well, and I have 6 update 30 (build 1.6.0_30-br12). However it happens to a lot of machines here update 30 or newer.

    Yes .usertrust.com has an invalid certificate. How do we get it to their attention? Its because they redirect to comodo.com.

    I just added javadl-esd-secure.oracle.com and *.usertrust.com to the allowed domains category in our webfilter (cisco ironport) to see if that helps any.
  • 53. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    damorgan Oracle ACE Director
    Currently Being Moderated
    To reproduce it just download the nine "critical" updates Microsoft released in the last 24 hours.

    I can't tell you which one is responsible though there is a nice article at Ars Technica you might wish to read titled "Microsoft kills more code-signing certs to stop Flame-like attacks."
    http://arstechnica.com/security/2012/07/microsoft-certs-nixed-to-stop-flame/

    Looks like my friends down the street are at it again throwing code over the cubicle wall and letting everyone out here Beta test it for them.
  • 54. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    RogerL (Oracle) Java Champion
    Currently Being Moderated
    Please see this bug that has been opened:
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7183043
  • 55. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    948224 Newbie
    Currently Being Moderated
    Thanks Roger.

    I hope this gets resolved soon. We are wasting support calls on this and when we can't fix a problem it makes us look bad.
  • 56. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    949393 Newbie
    Currently Being Moderated
    We are getting this error attempting to install jre-6u33-windows-i586.exe on many machines.

    CRL problem is with a java.com site: sjremetrics.java.com

    Please fix...
  • 57. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    949393 Newbie
    Currently Being Moderated
    FWIW, the error referenced above with the revocation error for sjremetrics.java.com when installing jre-6u33-windows-i586.exe seems to occur predominately on 64-bit machines (ie, installing the 32-bit jre on 64-bit machines).
  • 58. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    948224 Newbie
    Currently Being Moderated
    I am now getting this on my HOME computer as well! I thought maybe this was just a corporate problem with webfilters, firewall egress filtering, and other connection issues pulling the CRL from the internet.

    But no, my home pc on a residential cable modem gave me the same exact error that I am seeing in the business world at work.

    Home PC is running Windows 7 32-bit. The error message comes up right at log on.

    Why hasn't anything been done to correct this problem? Now the home user market is experiencing the issue. Even those people who have little to no technical knowledge or support. This has to be corrected.
  • 59. Re: Security Alert / Revocation info for the sec cert since installing JRE 6u31
    921255 Newbie
    Currently Being Moderated
    We have Java 7u5 and 6u33 and are still seeing the problem that we started this thread with MONTHS ago ....Our fix is that we are starting to strip Java off machines where it is not absolutely critical to have it.

    Anyone else having any luck?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points