in | ![]() | |||||
![]() |
![]() ![]() |
![]() |
![]() ![]() |
![]() |
![]() ![]() |
![]() |
|
Sun(sm) Alert Notification
1. ImpactA Class 3 and Class 2 Verisign PCA root certificate included in various releases of the SDK and JRE (see Contributing Factors below) will expire on January 7, 2004 and may result in the following upon expiration:
Note: Root certificates, such as PCA root certificates from Verisign, have defined validity periods in accordance with PKI best practices. Certification authorities periodically extend the validity periods of PCA root certificates. Verisign has extended the expiring Class 3 and Class 2 PCA root certificates by issuing certificates with new validity periods (these certificates with the new validity periods are referred to as "new" certificates in this document.) 2. Contributing FactorsThis issue can occur in the following J2SE releases: Windows Production Releases
Solaris Operating Environment (OE) Reference Releases
Solaris OE Production Releases
Linux Production Releases
Note: JDK 1.1.8 and earlier releases are not affected by this issue. 3. SymptomsClass 3 Verisign PCA root certificate: The Class 3 Verisign PCA root certificate is used in relation to authenticating entities such as signed code and web sites. Java applications and applets which authenticate on or after January 7, 2004 using certificates issued by the expiring Class 3 Verisign PCA root certificate may be affected as follows: 1. You may encounter a Java Plug-in or Java Web Start security warning dialog box containing the following warning: Publisher authenticity verified by: "Verisign" The security certificate was issued by a company that is trusted The security certificate has expired or is not yet valid or Publisher authenticity verified by: "Verisign" The security certificate was issued by a company that is not trusted The security certificate has expired or is not yet valid You may see the first warning if the Java application or applet that you are trying to run is signed by a code signing certificate that is a subordinate certificate of the expiring Class 3 Verisign PCA root certificate and the certificate chain provided by the application or applet includes the root CA certificate, and you are using one of the following:
You may also see the first warning if you are trying to access a web site via https and the web site's SSL server certificate is signed by a server CA certificate that is a subordinate certificate of the expiring Class 3 Verisign PCA root certificate and the certificate chain provided by the web site includes the root CA certificate, and you are using one of the following:
You will see the second warning if the certificate chain provided by the application, applet or web site does not include the root CA certificate. It is highly unlikely that you will encounter a web site with a SSL server certificate that is a subordinate certificate of the expiring Class 3 Verisign PCA root certificate. In addition, Java applications and applets signed after August 2002 should not be signed by a code signing certificate that is a subordinate certificate of the expiring Class 3 Verisign PCA root certificate. (See Note 1 below.) However, even if the root CA certificate of a code signers certificate or a web site's SSL server certificate is the new Class 3 Verisign PCA root certificate, you may still see one of the above security warnings if the certificate chain does not include the root CA certificate. Note 1: Verisign issues server and code signing certificates that expire before the PCA root certificates expire in accordance with PKI best practices. Note 2:
2. If your Java application or applet uses a Java Secure Socket Extension (JSSE) TrustManager which requires valid trust certificates, you may not be able to access web sites via https. (For example, the default JSSE X509TrustManager("SunX509"), and some custom-written X509TrustManagers do not recognize expired certificates, and will cause attempted connections to fail.) As described above, the TrustManager of the Java Plug-in has special rules regarding validity periods. In J2SE 1.4.x, by default, applets use the SSLSocketFactory of the Java Plug-in which uses the TrustManager of the Java Plug-in. However, in the unusual case that an applet overrides the active SSLSocketFactory (see javax.net.ssl.HttpsURLConnection), a different TrustManager might be used when making trust decisions, which could lead to connection failures. Class 2 Verisign PCA root certificate: The Class 2 Verisign PCA root certificate is used in relation to authenticating entities such as users and individuals. Java applications and applets which authenticate on or after January 7, 2004 using certificates issued by the expiring Class 2 Verisign PCA root certificate may be affected.
4. Relief/WorkaroundTo recover from the described issue: The security warning dialog box (described in "Symptoms" above) provides the option to grant permissions with the "Grant this session" or "Grant always" buttons. You may run the software or connect to the web site by selecting either button. However, please note that you should not choose these options unless you are prepared to trust the software that you are going to run or the web site that you are trying to connect to via https. To workaround the described issue: Sun recommends that you upgrade to a release listed in the Resolution section. However, if this is not possible, you could use the following workaround: Import the new Verisign Class 3 and Class 2 PCA root certificates into the J2SE certificate file (<java-home>/lib/security/cacerts). Instructions: 1. Download the most recent Verisign PCA root certificates from: 2. Unzip the downloaded file into the current directory. 3. Import the new Class 3 and Class 2 PCA root certificates into the cacerts file. Note: For SDK and JRE 1.2.2, you need to install and statically register either the "SunJSSE" provider (in JSSE 1.0.x) or a third-party JCA provider that supports the "MD2withRSA" Signature algorithm. JSSE 1.0.3 can be obtained from: To import the Class 3 root certificates into the cacerts file: % keytool -import -v \ -keystore <java-home>/lib/security/cacerts \ -alias verisignclass3ca2028 \ -file "./VeriSign - Thawte Combined Roots/VeriSign_Roots/PCA3ss_v4.509 Keytool will prompt you for the password for the cacerts file (the default password is "changeit") and generate the following output after you enter the password: Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial number: 70bae41d10d92934b638ca7b03ccbabf Valid from: Sun Jan 28 19:00:00 EST 1996 until: Tue Aug 01 19:59:59 EDT 2028 Certificate fingerprints: MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2 Trust this certificate? [no]: Note: You should examine the certificate for validity by comparing the fingerprints in the output above with the output from keytool to confirm that they are the same before importing it. To import the Class 2 root certificates into the cacerts file: % keytool -import -v \ -keystore <java-home>/lib/security/cacerts \ -alias verisignclass2ca2028 \ -file "./VeriSign - Thawte Combined Roots/VeriSign_Roots/PCA2ss_v4.509" Keytool will prompt you for the password for the cacerts file (the default password is "changeit") and generate the following output after you enter the password: Owner: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial number: 2d1bfc4a178da391ebe7fff58b45be0b Valid from: Sun Jan 28 19:00:00 EST 1996 until: Tue Aug 01 19:59:59 EDT 2028 Certificate fingerprints: MD5: B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E SHA1: 67:82:AA:E0:ED:EE:E2:1A:58:39:D3:C0:CD:14:68:0A:4F:60:14:2A Trust this certificate? [no] Note: You should examine the certificate for validity by comparing the fingerprints in the output above with the output from keytool to confirm that they are the same before importing it. Restart the Java application or Java Plug-in process to force a reread of the new cacerts file. For more information about the cacerts file and how to import certificates, please see: 5. ResolutionThis issue is addressed in the following J2SE releases:
J2SE SDK and JRE releases are available at: Note 1: The new Class 3 and Class 2 Verisign PCA root certificates are included in the above releases for Windows, Solaris, and Linux. Note 2: SDK and JRE 1.4.0_04 and earlier, 1.3.0_05 and earlier, and 1.2.2_17/017 and earlier are no longer supported. Sun recommends that you upgrade to a more recent release. Change History:19-Dec-2003:
5-Jan-2004:
This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Top | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
![]() |