JavaFX WebView TLS/SSL Certificate Revocation Check

Michael Ennen mike.ennen at
Sat Jan 2 01:53:43 UTC 2016


I will keep this short and brief. If one attempts to use the WebView
control to load the following page:

The page is loaded, SSL handshake completes successfully, and it is
displayed and no exceptions are thrown
(e.g. webView.getEngine().getLoadWorker().getException() is null) and the
WorkerState goes to Worker.State.SUCCEEDED.

However, the certificate of this page is indeed revoked.

I understand that the WebView uses HttpsUrlConnection under the covers, and
so I did some googling about OSCP/CRL (which are certificate revocation
protocols, for lack of a better term). It seems that OSCP can be enabled

Security.setProperty("ocsp.enable", "true");

and, as a fallback, CRL can be enabled via:

System.setProperty("", "true");

However, neither of these make any difference in regards to the successful
outcome posted above.

One really disgusting workaround to this problem would be to write a
TrustManager (which is extremely difficult in my estimation, and prone to
error) that checks for certificate revocation (by using, for example,
the class) but since there is no
way to hook into the validation check of an existing TrustManager, all of
the existing functionality would have to be duplicated.

Considering the WebView can be used essentially as a browser (especially
given the fact that it is based on WebKit) I think this is quite a serious
issue (and indeed is a serious issue for my particular application).

Has anyone run into this problem and come up with a solution? Is this a
known bug? Is there anything I can do to fix it?

Thanks very much,

Michael Ennen

More information about the openjfx-dev mailing list