Java Applet "ClassNotFoundException" on Firefox 52.4.1 - works on IE
cac*_*bre 5 java ssl firefox applet pkcs#11
We need to run an old web application which using Java 8 Applet (sick), on Firefox 52.4.1 (last version compatible with Java Applet) and Internet Explorer 11.
The applet is based on Java 8 and distributed by an Apache Tomcat server. It is signed and obfuscated (Proguard).
The user connect to the website with SSL mutual authentication from a smartcard (The client needs a PKCS11 module to get the certificate from the smartcard). The SSL mutual authentication is also done with the Java Applet.
All certificates are signed by an autority added in every browsers, windows and Java certificates stores.
Here the HTML code:
<object classid='clsid:8AD9C840-044E-11D1-B3E9-00805F499D93' id='AsapiObject'>
<param name='archive' value='../../../applet/myapplet.jar'/>
<param name='code' value='main.package.Main'/>
<param name='name' value='My Applet'/>
<param name='mayscript' value='true'/>
<comment>
<applet id='AsapiApplet'
name='My Applet'
archive='../../../applet/myapplet.jar'
code='main.package.Main'
MAYSCRIPT="MAYSCRIPT">
</applet>
</comment>
</object>
(Followed recommandations from https://docs.oracle.com/javase/8/docs/technotes/guides/jweb/applet/using_tags.html#applet)
It works fine on IE 11, not on Mozilla Firefox 52.4.1. Its the same JRE on both.
On Mozilla Firefox 52.4.1, I have a Java exception :
java.lang.ClassNotFoundException: main.package.Main
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
And before this exception, I have an handshake failure exception :
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:205)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:109)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$800(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
I think Firefox doesn't import properly client certificate from the smartcard.
Edit : there is also two other interesting lines in Java console :
security: Accessing keys and certificate in Mozilla user profile: null
security: JSS is not configured
By increasing debug mode (-Djavax.net.debug=all), I see :
Internet Explorer :
Run Code Online (Sandbox Code Playgroud)*** ServerHelloDone [read] MD5 and SHA1 hashes: len = 4 0000: 0E 00 00 00 .... ssl: KeyMgr: getting aliases: [XXXXXXX (verified: OK), YYYYYYYYYYYYYY] ssl: Ignoring alias XXXXXXX (1): key algorithm does not match ssl: Ignoring alias XXXXXXX: key algorithm does not match ssl: Ignoring alias XXXXXXX (2): key algorithm does not match ssl: KeyMgr: no matching alias found ssl: Ignoring alias XXXXXXX (1): key algorithm does not match ssl: Ignoring alias XXXXXXX: key algorithm does not match ssl: Ignoring alias XXXXXXX (2): key algorithm does not match ssl: KeyMgr: no matching alias found *** Certificate chain chain [0] = [ ...Mozilla Firefox :
Run Code Online (Sandbox Code Playgroud)*** ServerHelloDone [read] MD5 and SHA1 hashes: len = 4 0000: 0E 00 00 00 .... Warning: no suitable certificate found - continuing without client authentication *** Certificate chain <Empty> ***
I tried/checked a lot of things :
- Checking if IAS_PKCS11 module is correctly installed on Firefox :
- Tried to disable
plugins.click_to_play(https://support.mozilla.org/fr/questions/933135) - Checked parameters order in
<applet>(ClassNotFoundException in Java Applet using <object> tag) - Cleared cache, added JRE arguments, JRE reinstallation ... (https://support.mozilla.org/fr/questions/945083)
- Enabled
security.enterprise_roots.enabled(https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store) - Used
<embed>or<object>instead of<applet>. - Tried a lot every combination in Advanced Security Parameter in Java Configuration
Disabled some Security Checks (CRL, etc.).
Edit : according to JDK-6975851, JSS doc, NSS versions, I have built JSS_4_4_20170313 based on NSS 3.28.3 and NSPR 4.13.1 with VS2019 + Windows Kit 10 tools and libs, Java 8. I have installed DLL files (jss4.dll, libplc4.dll, libnspr4.dll, libplds4.dll) in Mozilla Firefox directory and jss4.jar in jre_path/lib/ext directory. Without success after all those efforts ... :(
I really need help.
Any idea? (I cannot switch applet to another thing - I do not have this choice)
看起来问题似乎出在您提供 https 的网络服务器上。
谷歌随机搜索会弹出Mozilla 安全博客。您使用的 Firefox 版本 (52) 默认禁用 SHA-1。MD5 是比 SHA-1 更差的哈希算法。
所以想必你至少应该更新网络服务器。如果你迫切希望继续使用本应被垃圾箱的软件,那么我猜你可能在 Firefox 中还有一个配置选项,或者使用版本 51,但我真的不推荐它。