Page 2 of 2

Re: Java 8U71 is out

PostPosted: Thu Jan 21, 2016 12:29 pm
by Bernd.N
Harjo wrote:Hi Bernd, rolling Java back is in my opinion the wrong advice!

Hi Harjo,
I agree in general, but we are currently in a rollout-situation, which means the users want to start at once.
Changing the server would take longer, I guess.

Re: Java 8U71 is out

PostPosted: Thu Jan 21, 2016 2:38 pm
by jcompagner
Bernd.N wrote:
Harjo wrote:Hi Bernd, rolling Java back is in my opinion the wrong advice!

Hi Harjo,
I agree in general, but we are currently in a rollout-situation, which means the users want to start at once.
Changing the server would take longer, I guess.


no changing the server would take 1 minute.
useSSL to false and restart...

Re: Java 8U71 is out

PostPosted: Thu Jan 21, 2016 2:42 pm
by jcompagner
jozef.kopanicak wrote:

I also imported the self-signed certificate into the JRE, but nothing changed


normally selfsigned will not work, because the smartclient would do that certificate check
But if you really imported your certificate into the JRE certificates as a trusted (root) certificate then i think it should work
(but then you need to do that on all your clients)

For a self signed certificate to really work we could potentially give you an extra option on that network settings page
"selfSigned"

that you have to set to true.

But that still won't be that secure because the certificate in the smart client will not be checked so it can be then any kind of certificate..

Re: Java 8U71 is out

PostPosted: Fri Jan 22, 2016 1:10 am
by lwjwillemsen
I consider the choice of Servoy to use the same keystore for SSL client - server and for encryption of
passwords in the servoy.properties a bad one.
The needed security level for client - server communication is so much higher then for passwords
in the properties file. For access to the properties file an intruder has to gain access to the file system of the application server.

Now when on a running Servoy Application server the SSL certificate expires and you install a new one all Servoy database connections are out of order!

We have a lot of on premise Servoy servers with smart clients in the field so the problem seems obvious imho.

Re: Java 8U71 is out

PostPosted: Fri Jan 22, 2016 11:05 am
by Harjo
lwjwillemsen wrote:Now when on a running Servoy Application server the SSL certificate expires and you install a new one all Servoy database connections are out of order!



not true!
when you renew your certificate and renew through the admin-page, Servoy converts the passwords automaticly for you.
If you don't want that, just stop the server, set the passwords in the servoy.properties file in plain-text, start the server, and the passwords are also newly encrypted again, with the new certificate.

Re: Java 8U71 is out

PostPosted: Fri Jan 22, 2016 12:23 pm
by jcompagner
you don't really even have to "renew" it through admin page directly
You could just update the keystore
As long as you press once on the admin page "save" so that the servoy.properties file is saved once after the keystore is updated before the server is restarted

Re: Java 8U71 is out

PostPosted: Fri Jan 22, 2016 1:33 pm
by lwjwillemsen
Thanks for the info Johan and Harjo!
I noticed on the Servoy 7 admin page the (red warning) phrase about the encrypted passwords in the properties file is no longer there at the "Network Settings" ?

@Johan : Why? Has something changed in that area in Servoy 7?

Re: Java 8U71 is out

PostPosted: Fri Jan 22, 2016 3:56 pm
by lwjwillemsen
Ok, I am testing with our own ssl certificate and installed it on the Servoy Application server.

When starting the smart client I get :

javax.net.ssl.SSLException: hostname in certificate didn't match: <10.100.100.111> != <vision-development.nl>
at com.servoy.j2db.rmi.hostnameverifier.AbstractVerifier.verify(AbstractVerifier.java:189)
at com.servoy.j2db.rmi.hostnameverifier.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:23)
at com.servoy.j2db.rmi.hostnameverifier.AbstractVerifier.verify(AbstractVerifier.java:117)

How can I deploy our certificate to our client Servoy Application servers?

Re: Java 8U71 is out

PostPosted: Fri Jan 22, 2016 5:42 pm
by jcompagner
i am not sure which one is what
but i guess your your ssl is made with vision-development.nl
but you access the server with http://10.100.100.111 ?

Re: Java 8U71 is out

PostPosted: Fri Jan 22, 2016 7:11 pm
by lwjwillemsen
Hi Johan,

I learned one or two things about ssl certificates today.
I thought we could SSL secure all our end user production servers (100+) with our own certificate, but it seems
the server name has to be equal or in the certificate domain name.

I already generated a new one but the problem is if we ship that, then no server will startup anymore because that same key is used to encrypt the passwords in the servoy settings
So nothing can be decrypted anymore with the new keystore, so the database connections are not coming up.


Could you give us that stronger Servoy certificate and can we place that in an existing production server?
(I am aware of the servoy.properties passwords problem).

Thanks in advance.

Re: Java 8U71 is out

PostPosted: Tue Feb 02, 2016 1:11 pm
by jbrancoIF
Any update on this issue?
Can we get this certificate or generate it ourselves?

Thanks in advance

Re: Java 8U71 is out

PostPosted: Tue Feb 02, 2016 1:26 pm
by jcompagner
we will release a Servoy 7.4.6 in the next 2 weeks if possible and a 8.0.3 2 or 3 weeks after that again.
Both of them will have an updated certificate

But the current situation is that you just have to turn of ssl (it is not really secure anway!) or really give us a valid certificate
(or just use plain http tunnel and only configure tomcat/apache to handle the https)

Re: Java 8U71 is out

PostPosted: Wed Feb 03, 2016 4:37 pm
by Bernd.N
I switched off useSSL on one server, saved the settings and restarted the server.

However I still get the message that Java does not want to start due to security.

Could it be that some of the plugins have a self-signed certificate? I signed all of them just minutes ago with a new code signing certificate, and to my understanding that signing has nothing to do with the self-signing problem of Java8u71.

Re: Java 8U71 is out

PostPosted: Wed Feb 03, 2016 4:54 pm
by jcompagner
that error has nothing to do with ssl

Thats really jar signing, self signed is not supported, you need a valid signing certificate
(or add that exception site list)

Re: Java 8U71 is out

PostPosted: Thu Feb 04, 2016 4:42 pm
by Bernd.N
Ok, Harjo helped me to get it run. It seemed the Java version was too old (8u40), or maybe some cached versions of the JNLP were still around. We installed Java 8u71 on the server, now it works fine again.