Java 8U71 is out

Questions, answers, tips and ideas on Servoy Client

Re: Java 8U71 is out

Postby Bernd.N » Thu Jan 21, 2016 12:29 pm

Harjo wrote:Hi Bernd, rolling Java back is in my opinion the wrong advice!

Hi Harjo,
I agree in general, but we are currently in a rollout-situation, which means the users want to start at once.
Changing the server would take longer, I guess.
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 477
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Java 8U71 is out

Postby jcompagner » Thu Jan 21, 2016 2:38 pm

Bernd.N wrote:
Harjo wrote:Hi Bernd, rolling Java back is in my opinion the wrong advice!

Hi Harjo,
I agree in general, but we are currently in a rollout-situation, which means the users want to start at once.
Changing the server would take longer, I guess.


no changing the server would take 1 minute.
useSSL to false and restart...
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Java 8U71 is out

Postby jcompagner » Thu Jan 21, 2016 2:42 pm

jozef.kopanicak wrote:

I also imported the self-signed certificate into the JRE, but nothing changed


normally selfsigned will not work, because the smartclient would do that certificate check
But if you really imported your certificate into the JRE certificates as a trusted (root) certificate then i think it should work
(but then you need to do that on all your clients)

For a self signed certificate to really work we could potentially give you an extra option on that network settings page
"selfSigned"

that you have to set to true.

But that still won't be that secure because the certificate in the smart client will not be checked so it can be then any kind of certificate..
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Java 8U71 is out

Postby lwjwillemsen » Fri Jan 22, 2016 1:10 am

I consider the choice of Servoy to use the same keystore for SSL client - server and for encryption of
passwords in the servoy.properties a bad one.
The needed security level for client - server communication is so much higher then for passwords
in the properties file. For access to the properties file an intruder has to gain access to the file system of the application server.

Now when on a running Servoy Application server the SSL certificate expires and you install a new one all Servoy database connections are out of order!

We have a lot of on premise Servoy servers with smart clients in the field so the problem seems obvious imho.
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 569
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Java 8U71 is out

Postby Harjo » Fri Jan 22, 2016 11:05 am

lwjwillemsen wrote:Now when on a running Servoy Application server the SSL certificate expires and you install a new one all Servoy database connections are out of order!



not true!
when you renew your certificate and renew through the admin-page, Servoy converts the passwords automaticly for you.
If you don't want that, just stop the server, set the passwords in the servoy.properties file in plain-text, start the server, and the passwords are also newly encrypted again, with the new certificate.
Harjo Kompagnie
Direct ICT / Servoy Hosting / ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
User avatar
Harjo
 
Posts: 4271
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Java 8U71 is out

Postby jcompagner » Fri Jan 22, 2016 12:23 pm

you don't really even have to "renew" it through admin page directly
You could just update the keystore
As long as you press once on the admin page "save" so that the servoy.properties file is saved once after the keystore is updated before the server is restarted
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Java 8U71 is out

Postby lwjwillemsen » Fri Jan 22, 2016 1:33 pm

Thanks for the info Johan and Harjo!
I noticed on the Servoy 7 admin page the (red warning) phrase about the encrypted passwords in the properties file is no longer there at the "Network Settings" ?

@Johan : Why? Has something changed in that area in Servoy 7?
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 569
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Java 8U71 is out

Postby lwjwillemsen » Fri Jan 22, 2016 3:56 pm

Ok, I am testing with our own ssl certificate and installed it on the Servoy Application server.

When starting the smart client I get :

javax.net.ssl.SSLException: hostname in certificate didn't match: <10.100.100.111> != <vision-development.nl>
at com.servoy.j2db.rmi.hostnameverifier.AbstractVerifier.verify(AbstractVerifier.java:189)
at com.servoy.j2db.rmi.hostnameverifier.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:23)
at com.servoy.j2db.rmi.hostnameverifier.AbstractVerifier.verify(AbstractVerifier.java:117)

How can I deploy our certificate to our client Servoy Application servers?
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 569
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Java 8U71 is out

Postby jcompagner » Fri Jan 22, 2016 5:42 pm

i am not sure which one is what
but i guess your your ssl is made with vision-development.nl
but you access the server with http://10.100.100.111 ?
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Java 8U71 is out

Postby lwjwillemsen » Fri Jan 22, 2016 7:11 pm

Hi Johan,

I learned one or two things about ssl certificates today.
I thought we could SSL secure all our end user production servers (100+) with our own certificate, but it seems
the server name has to be equal or in the certificate domain name.

I already generated a new one but the problem is if we ship that, then no server will startup anymore because that same key is used to encrypt the passwords in the servoy settings
So nothing can be decrypted anymore with the new keystore, so the database connections are not coming up.


Could you give us that stronger Servoy certificate and can we place that in an existing production server?
(I am aware of the servoy.properties passwords problem).

Thanks in advance.
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 569
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Java 8U71 is out

Postby jbrancoIF » Tue Feb 02, 2016 1:11 pm

Any update on this issue?
Can we get this certificate or generate it ourselves?

Thanks in advance
João Branco
InfoForm SA

Servoy 8.1.2
Windows 7 64 bits
jbrancoIF
 
Posts: 61
Joined: Tue Jan 10, 2012 11:29 am

Re: Java 8U71 is out

Postby jcompagner » Tue Feb 02, 2016 1:26 pm

we will release a Servoy 7.4.6 in the next 2 weeks if possible and a 8.0.3 2 or 3 weeks after that again.
Both of them will have an updated certificate

But the current situation is that you just have to turn of ssl (it is not really secure anway!) or really give us a valid certificate
(or just use plain http tunnel and only configure tomcat/apache to handle the https)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Java 8U71 is out

Postby Bernd.N » Wed Feb 03, 2016 4:37 pm

I switched off useSSL on one server, saved the settings and restarted the server.

However I still get the message that Java does not want to start due to security.

Could it be that some of the plugins have a self-signed certificate? I signed all of them just minutes ago with a new code signing certificate, and to my understanding that signing has nothing to do with the self-signing problem of Java8u71.
Attachments
settings.png
settings.png (54.74 KiB) Viewed 1361 times
security_block.png
security_block.png (24.82 KiB) Viewed 1361 times
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 477
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Re: Java 8U71 is out

Postby jcompagner » Wed Feb 03, 2016 4:54 pm

that error has nothing to do with ssl

Thats really jar signing, self signed is not supported, you need a valid signing certificate
(or add that exception site list)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Java 8U71 is out

Postby Bernd.N » Thu Feb 04, 2016 4:42 pm

Ok, Harjo helped me to get it run. It seemed the Java version was too old (8u40), or maybe some cached versions of the JNLP were still around. We installed Java 8u71 on the server, now it works fine again.
Bernd Korthaus
LinkedIn
Servoy 7.4.9 SC postgreSQL 9.4.11 Windows 10 Pro
User avatar
Bernd.N
 
Posts: 477
Joined: Mon Oct 21, 2013 5:57 pm
Location: Langenhorn, North Friesland, Germany

Previous

Return to Servoy Client

Who is online

Users browsing this forum: No registered users and 1 guest

cron