Java – JDK 1.7 jarsigner with HTTPS TSA is no longer valid

Java

Looks like JDK 1.7 0_ The Thawte root certificate in 80 was revoked

Using 7u80 jarsigner is no longer valid and worked normally a few days ago

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jarsigner: unable to sign jar: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

After deleting the old certificate, I try to import the thawtes timestamping CA certificate into cacerts

wget https://www.thawte.com/roots/Thawte_Timestamping_CA.pem

/usr/java/jdk1.7.0_80/bin/keytool -import -trustcacerts -alias verisigntsaca -file Thawte_Timestamping_CA.pem -keystore jre/lib/security/cacerts 
Enter keystore password:  
Trust this certificate? [no]:  yes
Certificate was added to keystore

Jarsigner of JDK 8u60 works, so I tried to copy its cacerts to JDK 7, but it didn't work

Due to Javadoc error, we cannot compile using java 8 The only solution I see is to create a symbolic link in JDK7 to jdk8 jarsigner

/usr/java/jdk1.8.0_60/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jar signed.

If I switch TSA from GeoTrust to digicert, it can normally use JDK 7 because they do not use HTTPS http://timestamp.digicert.com/

Solution

I've only had this problem in the past 12 hours This problem is not related to the certificate, but to the protocol used to communicate with the timestamp server This will apply to JDK 7, but you need to add the following to the jarsigner command

-J-Dhttps.protocols=TLSv1.2

Therefore, your command will be as follows:

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -J-Dhttps.protocols=TLSv1.2 -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp

It seems that GeoTrust has disabled TLS version 1.0, which is the default in Java 7 The following links provide more information about this content:

GeoTrust Partner: Disable of Transport Layer Security (TLS) version 1.0 protocol

Diagnosing TLS,SSL,and HTTPS

I hope this will help

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>