scop / portecle

User friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more
http://portecle.sourceforge.net/
GNU General Public License v2.0
154 stars 47 forks source link

Cannot run JNLP file #45

Open scop opened 8 years ago

scop commented 8 years ago

When I attempt to run the JNLP file found on the portecle website I get a security error that prevents it from running: http://portecle.sourceforge.net/

screenshot

Reported by: cowwoc

scop commented 8 years ago

From the error message: "Your security settings have blocked a self-signed application from running"

Portecle's webstart files are self signed, sure. I don't know if/when something will be done about that, but in the meantime, it would be useful to know more details about the setup where this error occurs.

Original comment by: scop

scop commented 8 years ago

If you run JDK 8 update 102, you will discover that the lowest security level is "high". An earlier version removed the ability to run self-signed certificates. The only way to fix this moving forward is to pay for an official SSL certificate. On last check, these cost $9 a year.

Original comment by: cowwoc

scop commented 8 years ago

But the error message is about a self-signed application. An SSL certificate will not change the signedness of the app (jar, jnlp files etc). Or do you mean that it could be ok per the security settings if these same self-signed application files were served over a https connection that has a proper non-self-signed certificate (which are BTW available for free from e.g. letsencrypt.org)?

FWIW I run openjdk 1.8.0_102-b14 on Linux and see no such errors. But the web start implementation in use here is probably quite different from the one included with the Oracle non-openjdk java, maybe that's why.

Original comment by: scop

scop commented 8 years ago

Sorry. Apparently you need a code certificate from a CA that is trusted by the JRE. See http://stackoverflow.com/a/19485007/14731 for more details. Unfortunately, these are more expensive than SSL certificates but they are still not so bad: https://aboutssl.org/compare-code-signing-certificates

Original comment by: cowwoc

scop commented 8 years ago

http://stackoverflow.com/a/3662170/14731 mentions that Certum provides certificates for open-source projects for 19 euros. That is by far the best price I've seen so far.

Original comment by: cowwoc

scop commented 8 years ago

14€ nowadays (per year) it seems. Until (or actually if, no promises!) this is resolved somehow within Portecle, I suppose adding the JNLP file to the exception site list would serve as a workaround that users can apply. Could you try it out and report back?

http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/exception_site_list.html

Original comment by: scop

scop commented 8 years ago

Confirmed. The exception list works.

Original comment by: cowwoc

scop commented 8 years ago

Thanks, info added to homepage.

Original comment by: scop