javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.net.SocketException: Connection reset
When trying to open oneclick console I receive the following error:
<?xml version="1.0" encoding="utf-8"?>
<!-- JNLP File for Session Client -->
<jnlp spec="1.0+" codebase="https://OneClickServer.domain.net:8443/spectrum" href="">
<information>
<title>DX NetOps Spectrum OneClick Console on OneClickServer.acme.net</title>
<vendor>CA Technologies, A Broadcom Company</vendor>
<homepage href="index.jsp"/>
<description>DX NetOps Spectrum OneClick Console</description>
<description kind="short">DX NetOps Spectrum OneClick Console</description>
<icon href="images/i_icon.jpg"/>
<!-- <offline-allowed/> -->
</information>
<security>
<all-permissions/>
</security>
<!-- If you wish to force 64bit or 32bit OC client, replace <resources> tag with one that
specifies an architecture - "amd64" for x64 and "x86" for x32, see below examples.
You can copy oneclick.jnlp to oneclick32.jnlp or oneclick64.jnlp, and customize platform & memory,
and then new launch points will be added automatically to OC admin page.
Note: For arch specifiers to work properly, you must exactly match the JRE version or
make sure the "Allow new versions" checkbox is checked in the supported
JRE Version configuration.
<resources arch="amd64">
<resources arch="x86">
-->
<resources>
<!-- This is used for the alarm notification dialog and will
prevent the background color from being shown, so you will
not get a flash of color. In order for this property to
be set you need to have the following
deployment.javaws.secure.properties=sun.awt.noerasebackground
in the deployment.config file which lives in
<Windows Directory>\Sun\Java\Deployment\deployment.config on Windows
and
/etc/.java/deployment/deployment.config on Unix.
-->
<property name="sun.awt.noerasebackground" value="true"/>
<!-- To get rid of Java Authentication Required dialog -->
<property name="javaws.cfg.jauthenticator" value="true" />
<j2se version="1.8.0_292+" java-vm-args="--add-modules=java.se.ee" href="http://java.sun.com/products/autodl/j2se"
initial-heap-size="96m" max-heap-size="1024m"/>
<jar href="lib/clientconsole.jar;no_javaws_cheat"/>
<jar href="lib/clientalarm.jar;no_javaws_cheat"/>
<jar href="lib/clienttopo.jar;no_javaws_cheat"/>
<jar href="lib/jgraphx.jar;no_javaws_cheat"/>
<jar href="lib/webswing-api.jar;no_javaws_cheat"/>
<jar href="lib/clientapp.jar;no_javaws_cheat"/>
<jar href="lib/clientevent.jar;no_javaws_cheat"/>
<jar href="lib/clientadmin.jar;no_javaws_cheat"/>
<jar href="lib/util.jar;no_javaws_cheat"/>
<jar href="lib/utilsrv.jar;no_javaws_cheat"/>
<jar href="lib/utilnet.jar;no_javaws_cheat"/>
<jar href="lib/utilapp.jar;no_javaws_cheat"/>
<jar href="lib/utilgui.jar;no_javaws_cheat"/>
<jar href="lib/jecds.jar;no_javaws_cheat"/>
<jar href="lib/global.jar;no_javaws_cheat"/>
<jar href="lib/productsuite.jar;no_javaws_cheat"/>
<jar href="lib/jdom.jar;no_javaws_cheat"/>
<jar href="lib/xercesImpl.jar;no_javaws_cheat"/>
<jar href="lib/xml-apis.jar;no_javaws_cheat"/>
<jar href="lib/commons-collections.jar;no_javaws_cheat"/>
<jar href="lib/mindterm.jar;no_javaws_cheat"/>
<jar href="lib/oneclickclient.jar;no_javaws_cheat"/>
<jar href="lib/occversion.jar;no_javaws_cheat"/>
<jar href="lib/icu4j-55_2.jar;no_javaws_cheat"/>
<extension name="RSA Crypto-J" href="cryptoj.jnlp"/>
<!-- To use embedded browser in OneClick, you need to copy
3rd party jars from CDs (DJNativeSwing.jar, DJNativeSwing-SWT.jar,
swt-win32.jar, swt-wlinux.jar, jna.jar)
to <...>/tomcat/webapps/spectrum/lib, and uncomment
following line.
-->
<!--
<extension name="Embedded Browser" href="embedded-browser.jnlp"/>
-->
<jar href="lib/contrib/clientjdcm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientbluct.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmotbb.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientligowav.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientnege.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientacpa.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmib.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientwily.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmpls.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfndry.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmmsw.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthost.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientveloe.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientiprm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcommscp.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientntscr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthuawe.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpoly.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsvdsk.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthpprocurve.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthstca.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvdm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfeye.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientqos.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthph3c.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientaruba.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienteffip.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsanm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmerak.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthirs.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsdm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/json.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcpqnk.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpcktr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientec.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcluster.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsvpk.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcrpo.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientf5bigip.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientionmm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvptl.jar;no_javaws_cheat"/>
<jar href="lib/contrib/version.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientften.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienttoshi.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientgigam.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsdn.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmitsu.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientgeltr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienteventcorrelation.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientjunpr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpalo.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvorm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvpls.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientpolicy.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientavin.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrvbed.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientadisc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmulticast.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientscm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientextrm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientapc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcrsbm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientnetqos.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcitrix.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfubld.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientinfoblox.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienttelco.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientntopt.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientteldat.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcivpn.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clienthpbld.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientwlc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientvhm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientalctl.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientfosc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientwwpck.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientspm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientadva.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientlmtmgr.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientavoc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmtel.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientnetop.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrex.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientadtrn.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcisco.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmtrix.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientairsp.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientoacc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientharis.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientades.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientaudc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientroam.jar;no_javaws_cheat"/>
<jar href="lib/contrib/utilncm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrosc.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmotnt.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcmls.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientslm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientciucs.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientrcom.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientversa.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientcss.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientsecu.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientliebt.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientlancm.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientforti.jar;no_javaws_cheat"/>
<jar href="lib/contrib/clientmisen.jar;no_javaws_cheat"/>
<jar href="lib/cont
jnlp file truncated after 10K
*************************************************
javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.net.SocketException: Connection reset
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
at sun.security.ssl.SSLHandshake.consume(Unknown Source)
at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at sun.security.ssl.TransportContext.dispatch(Unknown Source)
at sun.security.ssl.SSLTransport.decode(Unknown Source)
at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doHeadRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getJreResource(Unknown Source)
at com.sun.javaws.LaunchDownload._downloadExtensionsHelper(Unknown Source)
at com.sun.javaws.LaunchDownload.downloadExtensionsHelper(Unknown Source)
at com.sun.javaws.LaunchDownload.downloadExtensions(Unknown Source)
at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.net.SocketException: Connection reset
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 42 more
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException: sun.security.provider.certpath.PKIX$CertStoreTypeException: java.net.SocketException: Connection reset
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 49 more
Caused by: sun.security.provider.certpath.PKIX$CertStoreTypeException: java.net.SocketException: Connection reset
at sun.security.provider.certpath.URICertStore.engineGetCRLs(Unknown Source)
at java.security.cert.CertStore.getCRLs(Unknown Source)
at sun.security.provider.certpath.DistributionPointFetcher.getCRL(Unknown Source)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(Unknown Source)
at com.sun.deploy.security.RevocationChecker$3.run(Unknown Source)
at com.sun.deploy.security.RevocationChecker$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.RevocationChecker.getCRLsPrivileged(Unknown Source)
... 50 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read1(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
... 60 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read1(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.security.provider.certpath.OCSP.getOCSPBytes(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source)
... 50 more
Release : 21.2, 22.2
Component : Spectrum OneClick
When java processes the jar files that make up the OneClick console it checks the SSL Certificate used to sign
the jar files to identify the validity of the software vendor (CA Technologies / Broadcom in this case).
Part of this process is to verify that the certificate used has not been revoked using a OCSP revocation check to
the Certificate Authority's server. In the case of NetOps 21.2.x the jar files are signed by Symantec and Digicert so
OCSP calls via HTTP are made to those external servers to verify the certificates are still valid. The calls here are
failing and in turn JRE does not continue to load the console.
In this case, there had been network changes made which blocked the HTTP calls to Symantec and Digicerts certificate
servers causing the console to fail to launch (connection reset). The changes made in the network were corrected.
Deeper dive
Note: I used Java's jarsigner to see the certificate authority that signed the cert
# cd /usr/Spectrum/tomcat/webapps/spectrum/lib
# /usr/Spectrum/Java/bin/jarsigner -verify -verbose -certs clientapplet.jar |grep -A 7 MANIFEST
s 695 Tue Jun 14 01:49:20 UTC 2022 META-INF/MANIFEST.MF
>>> Signer
X.509, CN=<CN>, OU=<OU>, O=<O>, ST=<ST>, C=<C>
[certificate is valid from 6/1/21 12:00 AM to 6/5/24 11:59 PM]
X.509, CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
[certificate is valid from 4/29/21 12:00 AM to 4/28/36 11:59 PM]
X.509, CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
I downloaded the intermediary certificate from Digicert
https://www.digicert.com/kb/digicert-root-certificates.htm
https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem
Then used `keytool -printcert -file DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem` to
find the revocation servers
AIA
|
#ping ocsp.digicert.com
PING cs9.wac.phicdn.net (72.21.91.29): 56 data bytes
64 bytes from 72.21.91.29: icmp_seq=0 ttl=55 time=10.121 ms
64 bytes from 72.21.91.29: icmp_seq=1 ttl=55 time=10.511 ms
64 bytes from 72.21.91.29: icmp_seq=2 ttl=55 time=10.001 ms
JRE will make a revocation check and in this case (cert certificates may change to another CA ) to ocsp.digicert.com