默认情况下，Java更新强制执行CRL检查，以阻止NSP和访客流量

简介

本文档介绍最新Java更新中断请求方调配以及某些使用访问控制列表(ACL)和重定向的访客流时遇到的问题。

背景信息

错误位于CiscoSPWDownloadFacilitator中，显示为“验证证书失败。应用程序将不会执行。”

如果您单击More Information，会收到抱怨证书撤销列表(CRL)的输出。

java.security.cert.CertificateException: java.security.cert.
CertPathValidatorException: java.io.IOException: DerInputStream.getLength(): 
lengthTag=127, too big.
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider
        (Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy
        (Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen
        (Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
	at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
	Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
		at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
		... 34 more
Caused by: java.security.cert.CertPathValidatorException: 
java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	... 35 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.util.DerInputStream.getLength(Unknown Source)
	at sun.security.util.DerValue.init(Unknown Source)
	at sun.security.util.DerValue.<init>(Unknown Source)
	at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
	... 38 more

问题

在Java的最新版本（版本7，更新25-发布日期：2013年8月5日）中，Oracle引入了新的默认设置，强制客户端根据任何CRL或在线证书状态协议(OCSP)验证与任何小程序关联的证书。

思科与这些小程序关联的签名证书具有列出的CRL和带Thawte的OCSP。由于这一新更改，当Java客户端尝试连接Thawte时，端口ACL和/或重定向ACL会阻止该客户端。

此问题在Cisco bug ID CSCui46739下跟踪。

解决方案

选项1 -交换机或无线控制器端修复

1. 重写任何重定向或基于端口的ACL以允许流量到达Thawte和Verisign。遗憾的是，此选项的一个限制是无法从域名创建ACL。
2. 手动解析CRL列表，并将其放入重定向ACL。

注意：如果客户端需要通过防火墙进行通信，则可能需要更新防火墙规则。

[user@user-linux logs]$ nslookup
> crl.thawte.com
Server:         64.102.6.247
Address:        64.102.6.247#53

Non-authoritative answer:
crl.thawte.com  canonical name = crl.ws.symantec.com.edgekey.net.
crl.ws.symantec.com.edgekey.net canonical name = e6845.ce.akamaiedge.net.
Name:   e6845.ce.akamaiedge.net
Address: 23.5.245.163

> ocsp.thawte.com
Server:         64.102.6.247
Address:        64.102.6.247#53

Non-authoritative answer:
ocsp.thawte.com canonical name = ocsp.verisign.net.
Name:   ocsp.verisign.net
Address: 199.7.48.72

如果这些DNS名称更改且客户端解析其他内容，请使用更新地址重写重定向URL。

重定向ACL示例：

     5 remark ISE IP address
    10 deny ip any host X.X.X.X (467 matches)
    15 remark crl.thawte.com
    20 deny ip any host 23.5.245.163 (22 matches)
    25 remark ocsp.thawte.com
    30 deny ip any host 199.7.52.72
    40 deny udp any any eq domain (10 matches)
    50 permit tcp any any eq www (92 matches)
    60 permit tcp any any eq 443 (58 matches)

测试显示OSCP和CRL URL解析为以下IP地址：

OCSP
199.7.48.72
199.7.51.72
199.7.52.72
199.7.55.72
199.7.54.72
199.7.57.72
199.7.59.72

CRL
23.4.53.163
23.5.245.163
23.13.165.163
23.60.133.163
23.61.69.163
23.61.181.163

这可能不是完整的列表，并且可能会根据地理位置而变化，因此需要进行测试来发现每个实例中主机解析的IP地址。

选项2 -客户端修复

在Java控制面板的高级部分中，将执行证书撤销检查设置为不检查（不推荐）。

   OSX：系统首选项> Java
           高级
           使用执行证书吊销：更改为“不检查（不推荐）”

   Windows：控制面板> Java
           高级
           使用执行证书吊销：更改为“不检查（不推荐）”