JavaFX WebView TLS/SSL Certificate Revocation Check
kevin.rushforth at oracle.com
Mon Jan 4 22:23:14 UTC 2016
Try the following:
Michael Ennen wrote:
> I will keep this short and brief. If one attempts to use the WebView
> control to load the following page:
> The page is loaded, SSL handshake completes successfully, and it is
> displayed and no exceptions are thrown
> (e.g. webView.getEngine().getLoadWorker().getException() is null) and the
> WorkerState goes to Worker.State.SUCCEEDED.
> However, the certificate of this page is indeed revoked.
> I understand that the WebView uses HttpsUrlConnection under the covers, and
> so I did some googling about OSCP/CRL (which are certificate revocation
> protocols, for lack of a better term). It seems that OSCP can be enabled
> Security.setProperty("ocsp.enable", "true");
> and, as a fallback, CRL can be enabled via:
> System.setProperty("com.sun.security.enableCRLDP", "true");
> However, neither of these make any difference in regards to the successful
> outcome posted above.
> One really disgusting workaround to this problem would be to write a
> TrustManager (which is extremely difficult in my estimation, and prone to
> error) that checks for certificate revocation (by using, for example,
> the sun.security.provider.certpath.OSCPChecker class) but since there is no
> way to hook into the validation check of an existing TrustManager, all of
> the existing functionality would have to be duplicated.
> Considering the WebView can be used essentially as a browser (especially
> given the fact that it is based on WebKit) I think this is quite a serious
> issue (and indeed is a serious issue for my particular application).
> Has anyone run into this problem and come up with a solution? Is this a
> known bug? Is there anything I can do to fix it?
> Thanks very much,
More information about the openjfx-dev