Page 1 of 2

Java 8U71 is out

PostPosted: Wed Jan 20, 2016 12:50 pm
by lwjwillemsen
Another java update is out :

At startup Smart Client :

SEVERE: Throwable
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at com.servoy.j2db.rmi.compressing.CompressingOutputStream.flush(CompressingOutputStream.java:161)
at java.io.DataOutputStream.flush(Unknown Source)
at com.servoy.j2db.rmi.SignallingChannel.connect(SignallingChannel.java:158)
at com.servoy.j2db.rmi.SignallingChannel.<init>(SignallingChannel.java:49)
at com.servoy.j2db.rmi.ClientTwoWaySocketFactory.establishSignallingChannel(ClientTwoWaySocketFactory.java:138)
at com.servoy.j2db.rmi.DefaultClientSocketFactoryFactory.initRMISocketFactory(DefaultClientSocketFactoryFactory.java:55)
at com.servoy.j2db.rmi.DefaultClientSocketFactoryFactory.<init>(DefaultClientSocketFactoryFactory.java:41)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.servoy.j2db.smart.J2DBClient.initRMISocketFactory(J2DBClient.java:843)
at com.servoy.j2db.smart.J2DBClient.startupApplication(J2DBClient.java:780)
at com.servoy.j2db.smart.J2DBClient$4.run(J2DBClient.java:692)
at com.servoy.j2db.smart.J2DBClient.mainImpl(J2DBClient.java:716)
at com.servoy.j2db.smart.J2DBClient.main(J2DBClient.java:679)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
... 33 more

Has anybody info what Oracle has changed?

Regards,

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 1:10 pm
by jcompagner
this means that certain Algorithms that are used to generate a certificate are not allowed anymore because they are to weak
Not sure if they disabled some, can't really find much about that currently in the release notes

Not sure if it is your server side certificate (do you have your own there?) or if it is the "test ssl" that we use
what is exactly your configuration under: network-settings tab in the admin page?

Can you switch to "http&socket" and restart the server to see if that helps?

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 1:30 pm
by swingman
Hi all,

I have just tested the new 8u71 with two different Servoy servers.
I can load a client from one but not the other.

On the Network Settings page on the server:

SocketFactory.useSSL: is not ticked on the one that works.

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 2:09 pm
by lwjwillemsen
With 'http&socket' I get:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at com.sebster.tunnel.impl.cb.a(cb.java:9)
at com.sebster.tunnel.impl.bb.connect(bb.java:8)
at com.sebster.tunnel.DelegatingTunnelClient.connect(DelegatingTunnelClient.java:2)
at com.sebster.tunnel.impl.le.<init>(le.java:11)
at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider$1.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:2)
at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:11)
at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:10)
at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:301)
at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:299)
at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.createFactoryProvider(ClientTunnelRMISocketFactoryFactory.java:253)
at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.<init>(ClientTunnelRMISocketFactoryFactory.java:241)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.servoy.j2db.smart.J2DBClient.initRMISocketFactory(J2DBClient.java:843)
at com.servoy.j2db.smart.J2DBClient.startupApplication(J2DBClient.java:780)
at com.servoy.j2db.smart.J2DBClient$4.run(J2DBClient.java:692)
at com.servoy.j2db.smart.J2DBClient.mainImpl(J2DBClient.java:716)
at com.servoy.j2db.smart.J2DBClient.main(J2DBClient.java:679)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

With SSL switched off: no problem

We sign our jar files with our own signing certificate but that has nothing to do with the SSL-certificate from the Servoy server?

In Java 8u71 the security settings are changed in the file java.security :

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
and
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

In 8u66 it was :

jdk.certpath.disabledAlgorithms=MD2
and
jdk.tls.disabledAlgorithms=SSLv3

When I remove MD5 and MD5withRSA the smart client starts up ok.

Servoy action?

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 2:14 pm
by ROCLASI
Looks like a SSL issue to me.
Perhaps Oracle did the same as what FireFox did per Januari 1st and requires SHA-2 certs instead of the old standard SHA-1?

Edit: I just try to read all the related info on this update and it's as clear as mud.
It only lists some release 'highlights' with the only item remotely related to this is:
Problem with PBE algorithms using AES crypto corrected
An error was corrected for PBE using 256-bit AES ciphers such that the derived key may be different and not equivalent to keys previously derived from the same password.

Also the link to the actual bug-fixes page is broken. Here is the working one: http://www.oracle.com/technetwork/java/ ... 11127.html

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 3:59 pm
by jcompagner
lwjwillemsen wrote:
With SSL switched off: no problem



And do you have your own keystore configured?
Or are you just using "useSSL" of servoy? (which means we take a 'test' keystore that we ship inside servoy)


lwjwillemsen wrote:We sign our jar files with our own signing certificate but that has nothing to do with the SSL-certificate from the Servoy server?


signing doesn't have anything to do with this.

It sounds like it the keystore that is used on the server, i guess what we ship as a default 'test' keystore (when you just select useSSL but not provide a keystore, which is not fully secure as we mention on the network settings page)

lwjwillemsen wrote:In Java 8u71 the security settings are changed in the file java.security :

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
and
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

In 8u66 it was :

jdk.certpath.disabledAlgorithms=MD2
and
jdk.tls.disabledAlgorithms=SSLv3

When I remove MD5 and MD5withRSA the smart client starts up ok.



Yes that is the change then i guess

We use by default a certificate that is created with SHA-1
which has a keysize of 160 bits so that RSA keySize < 1024 doesn't allow that anymore

So for now, disable "useSSL" or give use a valid ssl keystore with your own valid certificate.

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 4:27 pm
by lwjwillemsen
Is Servoy gonna change their server SSL certificate?
The current one is a bit old (cryptographic) I guess...

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 4:42 pm
by jcompagner
yes we can ship a different one, but at production you shouldn't really use that
It is kind of just for testing or that at least some encryption and compressing does happen
But it is not really secure.

What version of servoy are you testing?

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 5:30 pm
by lwjwillemsen
We see this Issue with Servoy 5 en 7. Servoy 6 not tested.

I remember a session long ago with Jan Aleman and how proud he was that (out of the Servoy box) the smart client
communicated secure with the server...

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 6:26 pm
by jcompagner
this sentence is there for ages on our admin page:

"The use SSL option indicates that the server and clients will talk to each other using an SSL tunnel. For this to work securely you need to generate a valid keystore file with the SSL keys and certificates and place it in the 'server/conf/keystore' location on the server."

It can never be fully secure in what we ship, that is impossible because we ship a (generated) certificate with a private key inside our installation. Which is fully open source and everybody can look and see in it..

I already generated a new one but the problem is if we ship that, then no server will startup anymore because that same key is used to encrypt the passwords in the servoy settings
So nothing can be decrypted anymore with the new keystore, so the database connections are not coming up.

Re: Java 8U71 is out

PostPosted: Wed Jan 20, 2016 7:51 pm
by lwjwillemsen
Thanks Johan,

It's all clear to me now.

Re: Java 8U71 is out

PostPosted: Thu Jan 21, 2016 1:15 am
by Harjo
We did some intensive testing and it's not the fact that the certificate is a selfsigned certificate from Servoy, but it's an old certifcate with MD5, which is now by default is disabled by this Java version.

Here are the releasenotes:
http://www.oracle.com/technetwork/java/ ... 73756.html

and here some quotes:
*MD5 now disabled for X509 Certificate validating*
MD5 must not be used for digital signatures where collision resistance is required. In order to prevent the usage of MD5 as digital signature algorithm during X.509 certificate operations, MD5 has been added to the jdk.certpath.disabledAlgorithms Security property. For applications which still using MD5 signed certificates, please upgrade the weak certificate as soon as possible.
Reversing this change is possible, by removing MD5 from the jdk.certpath.disabledAlgorithms property contained in the java.security file. This is not recommended.


So, I think if Servoy updates that certificate by using not MD5 anymore, that that will fix the issue.
BUT.... even if Servoy does that, that's NOT the solution!

So you have the option, to search your java.security file and remove MD5 from the jdk.certpath.disabledAlgorithms list. (not recommended!!)

the other quick option, is to set use SLL to off in the servoy-admin page, restart Servoy (which in IMHO is also not recommended, because, if you run the smart client with the (default test) certifcate from Servoy, or running no SSL at all, security-wise that's the same! :!: :idea: :lol: )

If you want to fix this the best way (and the way we do this for already a couple of years) you have two options:

Use a official signed certificate (in a java keustore) and place that directly in Tomcat. useSSL to off and useSSLoverTunnel to off and the connection to http, only!
that way all traffic by tomcat and the smart-client (through tunnel) is securely encrypted!

If you want to use smart-client by rmi/socket, you have to set the certificate path to the java-keystore (with your certificate) and the password in the servoy-admin page. (be aware that you do this in the admin-page, because than Servoy takes care of all your db connection passwords, they will be newly encrypted!)
set useSSL to ON, set useSSLoverTunnel to ON or OFF, depending if you also have the certificate in Tomcat itself and the connection to http&socket.
Now your smart-client is using socket (rmi port) and all traffice from smart-client to the server is securely encrypted

If you need any help in securing, hosting, tuning your Servoy application server, let me know. We do it a lot! :wink:

Also the security-issue with rmi-traffic, which is explained here: https://www.servoy.com/forum/viewtopic.php?f=16&t=21087
We still see dozens of servers, which uses smart-client and do nothing with it.... Keeping up and be focused on security is not the top priority with most of the Servoy Developers... :roll: :wink:

Re: Java 8U71 is out

PostPosted: Thu Jan 21, 2016 4:27 am
by Bernd.N
At least one user also installed Java 8u71 now, and I saw this message suddenly a lot in the server log, both on our test server and on our live server.

Is this also related to Java 8u71, so that we should tell the user to go back to Java 8u65 which runs fine?

The link for that tried and tested Java version 65 is here:
http://www.oracle.com/technetwork/java/ ... 65-oth-JPR

Re: Java 8U71 is out

PostPosted: Thu Jan 21, 2016 8:20 am
by Harjo
Hi Bernd, rolling Java back is in my opinion the wrong advice!

Re: Java 8U71 is out

PostPosted: Thu Jan 21, 2016 11:45 am
by jozef.kopanicak
Do you have any experience with self-signed certificates on Java 8u71? I would like to try it out on our inhouse application servers, but we dont have a signed certificate for them. The application servers dont have a domain name, just IPs.

I am getting following errors when I start a smart-client:
Code: Select all
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
   at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
   at com.sebster.tunnel.impl.cb.a(cb.java:9)
   at com.sebster.tunnel.impl.bb.connect(bb.java:8)
   at com.sebster.tunnel.DelegatingTunnelClient.connect(DelegatingTunnelClient.java:2)
   at com.sebster.tunnel.impl.le.<init>(le.java:11)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider$1.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:2)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:11)
   at com.sebster.tunnel.multiplexer.rmi.ClientMultiplexedRmiSocketFactoryProvider.<init>(ClientMultiplexedRmiSocketFactoryProvider.java:10)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:301)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory$RmiSocketFactoryProvider.<init>(ClientTunnelRMISocketFactoryFactory.java:299)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.createFactoryProvider(ClientTunnelRMISocketFactoryFactory.java:253)
   at com.servoy.j2db.server.rmi.tunnel.ClientTunnelRMISocketFactoryFactory.<init>(ClientTunnelRMISocketFactoryFactory.java:241)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
   at java.lang.reflect.Constructor.newInstance(Unknown Source)
   at com.servoy.j2db.smart.J2DBClient.initRMISocketFactory(J2DBClient.java:843)
   at com.servoy.j2db.smart.J2DBClient.startupApplication(J2DBClient.java:780)
   at com.servoy.j2db.smart.J2DBClient$4.run(J2DBClient.java:692)
   at com.servoy.j2db.smart.J2DBClient.mainImpl(J2DBClient.java:716)
   at com.servoy.j2db.smart.J2DBClient.main(J2DBClient.java:679)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at com.sun.javaws.Launcher.executeApplication(Unknown Source)
   at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
   at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
   at com.sun.javaws.Launcher.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)



I also imported the self-signed certificate into the JRE, but nothing changed