thilino / jzebra

Automatically exported from code.google.com/p/jzebra
0 stars 0 forks source link

Java security issue that selfsigned sertificates will not work in next JDK release #155

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Run the applet with using JDK 7 update 40

What is the expected output? What do you see instead?

Expected: While applet starts for the first time, a popup is shown with message 
about security issue. Checking both checkboxes fixes the problem.

Real world: It doesn't matter, how much times you start applet and check the 
SINGLE checkbox, it popups everytime the page loads.

What version of the product are you using? On what operating system?

Win7, XP
Chrome, FF, Opera
jZebra 1.5.6

Please provide any additional information below.
The next warning appears in the popup and it makes me to worry about next Java 
updates.

Original issue reported on code.google.com by vonKer...@gmail.com on 18 Sep 2013 at 12:20

Attachments:

GoogleCodeExporter commented 8 years ago
Just verified that the new 1.7.0 pdf-renderer_qz.jar is signed by the Tres 
Finocchiaro certificate.

Original comment by ke...@kjordan.net on 24 Oct 2013 at 4:16

GoogleCodeExporter commented 8 years ago
The 1.7.0 qz-print.jar doesn't seem to work for me though.  No output in the 
Java Console.  If I mix the 1.7.0 pdf-renderer_qz.jar with the 1.6.6 
qz-print.jar, it works.  Haven't tried 1.6.9 yet, going to try that next.

Original comment by ke...@kjordan.net on 24 Oct 2013 at 4:34

GoogleCodeExporter commented 8 years ago
1.6.9 doesn't work either (no output).  1.6.8 does though.

Original comment by ke...@kjordan.net on 24 Oct 2013 at 4:42

GoogleCodeExporter commented 8 years ago
I've removed qz-print-free_1.6.9 from the downloads.

I would recommend immediately updating to 1.7.0.  New caching features enabled 
by default with Java 7 are making it very difficult to update the applet, so 
changes were made in 1.7.0 to mitigate the pain in updating.

Also please note that the JNLP file getting cached by the web browser has been 
causing grief among web developers.  

A quick fix to re-download the JNLP is to change the URL.  i.e
 "qz-print_jnlp.jnlp" 
           change to 
 "qz-print_jnlp.jnlp?dummy"

You could do this each time by using JavaScript to write a timestamp after the 
question mark.

For clients that are stuck "inbetween", I would recommend you have them flush 
QZ Print Applet from the new cache area in Java 7.
     --> Java Control Panel, General, View Button, Click "QZ Print Plugin" Delete.

I hope this helps.

-Tres

Original comment by tres.fin...@gmail.com on 24 Oct 2013 at 8:48

GoogleCodeExporter commented 8 years ago
1.7.0 doesn't work for me in applet mode (won't start up and doesn't output 
anything to the console).  Also, 1.6.8 and above seem to do a sizing of 8x8 
instead of 8x11 no matter if I specify it or not.  1.6.6 seems to be the last 
good version for me.

Original comment by ke...@kjordan.net on 25 Oct 2013 at 9:57

GoogleCodeExporter commented 8 years ago
Kevin,

Did you try the recommendations I made above about fixing the caching issues?

-Tres

Original comment by tres.fin...@gmail.com on 25 Oct 2013 at 10:51

GoogleCodeExporter commented 8 years ago
Found this article today:
http://nirlevy.blogspot.com/2010/01/iis-jnlp-404-problem.html

If you are using JNLP with an old version of IIS, it may say 
NullPointerException or Page Not Found.  This was the work-around that fixed it 
for me.

-Tres

Original comment by tres.fin...@gmail.com on 29 Oct 2013 at 12:53

GoogleCodeExporter commented 8 years ago
Tres,

I experienced similar issues as Kevin. The sample file included with 1.7.0 of 
jZebra worked fine stand alone. Once I included the .jar in my Web Application 
it no longer would load. I am using IIS express 7.5 on my local machine, so 
there should be no issue with an outdated version of IIS. However, version 
1.6.6 and version 1.6.8 of the jar file seem to work fine.

Jacob

Original comment by bocaj.bo...@gmail.com on 29 Oct 2013 at 8:55

GoogleCodeExporter commented 8 years ago
I believe I have figured out the issue with IIS and version 1.7.0. It looks 
like IIS by default does not support the mime type .jnlp. Below is an example 
of what I added to my web.config to fix it..

  <system.webServer>
    <staticContent>
      <mimeMap fileExtension=".jnlp" mimeType="application/x-java-jnlp-file" />
    </staticContent>
  </system.webServer>

Original comment by bocaj.bo...@gmail.com on 30 Oct 2013 at 5:40

GoogleCodeExporter commented 8 years ago
Also please see Issue 170 involving qz-print 1.7.0 and Safari for Windows.  I'm 
unaware of the severity of this issue, but Oracle's own plugin detection 
completely fails as well, so it is not necessarily related to qz-print.

http://code.google.com/p/jzebra/issues/detail?id=170

-Tres

Original comment by tres.fin...@gmail.com on 30 Oct 2013 at 8:47

GoogleCodeExporter commented 8 years ago
An update on the premium version but may be relevant to those compiling their 
own versions... 

I have a feeling the issues we are having with the premium version of the 
applet are due to Java not shipping with Godaddy Certificates installed.  This 
became obvious when users using the new JNLP method started getting new 
untrusted messages (Issue 174)

I need to confirm this, but I believe there's a two-strike policy with Java.

1.  Is java up to date?
2.  Is the certificate trusted by Java?
3.  Is the certificate trusted by the PC?

If two of the three fail, I believe it blocks the applet from making JavaScript 
calls.

We bought a Certificate that's trusted by Linux, OSX, Windows but recent 
reports from web developers are making it obvious that it's not trusted by 
Oracle.

If this is true, once a new update becomes available it hits two strikes and 
blocks it.

If this is true, this can be remedied  by buying a certificate from a provider 
that's in the trusted list, such as Verisign (much more expensive than 
StarField/Godaddy).

-Tres

Original comment by tres.fin...@gmail.com on 2 Nov 2013 at 2:33

GoogleCodeExporter commented 8 years ago
Hi, i'm from Argentine. I have problems, security problems with jzebra. My last 
step was import the Tres certificate, but now i receive this message each time 
that i call to jzebra.dll
How can i fix it?

Original comment by gustavo....@gmail.com on 7 Nov 2013 at 1:16

Attachments:

GoogleCodeExporter commented 8 years ago
@Gustavo,

You will need to use a newer version of the applet which has new Manifest 
entries for Java 7.

-Tres

Original comment by tres.fin...@gmail.com on 7 Nov 2013 at 2:57

GoogleCodeExporter commented 8 years ago
Tres,
The way files on my server are put in puts a timestamp into the filename too to 
prevent caching if it really needs an update, so yes, I'm already doing that.  
I noticed a few more versions have come out.  I'll try those and let you know 
if those don't work for me either.

Original comment by ke...@kjordan.net on 13 Nov 2013 at 11:00

GoogleCodeExporter commented 8 years ago
Tried 1.7.7 and still the same issue (no output in the Java console).  Once I 
revert to 1.6.6 it works again.  Even if Java were caching, that wouldn't end 
up causing it to fail to initialize the applet I wouldn't think.  It would just 
end up using the old version.

Original comment by ke...@kjordan.net on 13 Nov 2013 at 11:10

GoogleCodeExporter commented 8 years ago
Tried the samples also for 1.7.7 and no go on those either.

Original comment by ke...@kjordan.net on 13 Nov 2013 at 11:17

GoogleCodeExporter commented 8 years ago
@kevin:  Please be more specific when reporting your problem.

10/17 - Wrong signature
10/24 - No output in Java console
10/25 - 1.7.0 doesn't load, 1.6.8 defaults to 8x8
11/13 - Assumptions about how Java does caching

Old versions had caching issues do to some incorrect parameters being supplied.

Java caches the applet, not your web server not your web browser. Java has it's 
own applet cache here: 
http://www.java.com/en/download/help/plugin_cache.xml

Please try the recommendations before making assumptions, and please don't post 
your problems on a bug report that is closed and unrelated to your problem.

If you want to see the exact cause of your issue, hit the number "5" in the 
Java Console and refresh the page, then continue this troubleshooting on the 
mailing list please.

Also, your bug reports should give very specific information:  1.  Java 
Version, 2.  Browser Version, 3. OS Version, 4.  Software version.

Last, you should try your problems on multiple computers before submitting a 
bug.  Please continue this conversation on the mailing list where more than 9 
people will receive notification.

-Tres

Original comment by tres.fin...@gmail.com on 14 Nov 2013 at 12:14

GoogleCodeExporter commented 8 years ago
Hi how are you?
I'm from Argentina and on the last month you have helped me with jzebra applet 
and the java certificate.
That's work ok but now my employee ask me for the certificate name. because 
show your name "Tres Finoccharo" and he want show the company name. Do you know 
if there is some way to change the publisher name? or you have some 
documentation for make a new certificate?

Best regards and thanks so much for your help
Gustavo Iglesias

Original comment by gustavo....@gmail.com on 27 Nov 2013 at 12:45

GoogleCodeExporter commented 8 years ago
@Gustavo,

I will answer this in email.  In short, no, the publisher name cannot easily be 
changed.

-Tres

Original comment by tres.fin...@gmail.com on 27 Nov 2013 at 1:42

GoogleCodeExporter commented 8 years ago
@Aaron
I am Jean-Pierre, live in France.
I have this big problem with the jZebra.jar and the new Java version and 
Windows 8. I know you have created a solution and your are probably my saver.
I have downloaded your jZebraCertJar folder with the jar, the csr, the 
signedcertsforscripts.doc
When I want to Import Inside Firefox My certificates, the csr, I need to 
indicate 
two passwords or keys , and I dont'have them.

Could you please give me this key and password ? 

Jean-Pierre

Original comment by municipa...@gmail.com on 18 Jan 2014 at 9:43

GoogleCodeExporter commented 8 years ago
No password is needed.  Please import only into Signer CA section of Java 
Control panel.

Original comment by tres.fin...@gmail.com on 18 Jan 2014 at 10:02

GoogleCodeExporter commented 8 years ago
yeah you do not import directly to firefox, you place the .csr file into the 
signer CA section in the java control panel. Then it imports it for all 
browsers since its in the java signed pool.

Aaron M.

Original comment by aaron.ma...@gmail.com on 18 Jan 2014 at 10:31

GoogleCodeExporter commented 8 years ago
Great Thanks, 

I will try that and give you the results

Jean-Pierre

Original comment by municipa...@gmail.com on 19 Jan 2014 at 9:14

GoogleCodeExporter commented 8 years ago
I have your jZebra.jar on the server (93 723 bytes)
I have the .csr into java control panel

And the message is always here  !!!!

I have this code to load the jzebra.gar
<body>
<applet name="jzebra" code="jzebra.PrintApplet.class" archive="./jzebra.jar" 
width="100" height="100" border=2 >
      <param name="printer" value="thermique">
</applet>

Please, have you another Idea ? 

Jean-Pierre

Original comment by municipa...@gmail.com on 20 Jan 2014 at 9:06

GoogleCodeExporter commented 8 years ago
@Jean-Pierre,

A trusted signature eliminates this rubbish cert importing.

If you are not interested in doing this yourself, qzindustries offers a 
version, at a premium.

Original comment by tres.fin...@gmail.com on 20 Jan 2014 at 11:33

GoogleCodeExporter commented 8 years ago
@tres.fin...

My problem is that I have ONE installation with Jzebra.

It doesn't work now because they have Windows 8, and that the version of Java 
is always the recent version.

I think Qzindustries will not have a price for my case .

Jean-Pierre

Original comment by municipa...@gmail.com on 21 Jan 2014 at 5:22

GoogleCodeExporter commented 8 years ago
qz-print works with Windows 8.

If you are running 64-bit make sure you have both the 32-bit and 64-bit 
versions of Java installed, and make sure both versions are 1.7.0_51.

Import the certificate into Signer CA section of Java Control Panel (Security 
Tab). NOT Trusted Certificates, but Signer CA Certificates.

Close all web browsers and relaunch sample.html and the applet will load.  If 
it does not, completely uninstall all versions of Java from control Panel and 
reinstall both 32-bit and 64-bit versions.

If you are running Firefox, click Red Lego icon and change Java preferences.

If it still does not work, set your web browser preferences back to default.

If it still does not load, email jzebra-users@googlegroups.com

-Tres

Original comment by tres.fin...@gmail.com on 21 Jan 2014 at 5:33

GoogleCodeExporter commented 8 years ago
Hey there,

I followed your most recent instructions setting up the certificate, and 
installing both java's. I'm using Mozilla Firefox to open up my POS cash 
drawer, but the pop up still comes up.

I also tried emailing the googlegroup email address but it wouldn't send it.

Original comment by johnv...@gmail.com on 21 Jan 2014 at 10:35

GoogleCodeExporter commented 8 years ago
Please upload a screenshot of your error.

Original comment by tres.fin...@gmail.com on 21 Jan 2014 at 11:58

GoogleCodeExporter commented 8 years ago
@Aaron 
I have desinstalled Java and reinstalled 
 Java 7.51 32 bits
 Java 7.51 64 bits

We import your .CSR certificate in the four types of certificates : Securised 
Certificates, Securised Site, CA signer, CA of securised site
We have your jzebra.jar on the server side

It works better, not two messages Java, but always one message

See attached file.

Is the a way for me to not have this message ? 

Thanks 

Jean-Pierre

Original comment by municipa...@gmail.com on 22 Jan 2014 at 8:06

Attachments:

GoogleCodeExporter commented 8 years ago
That is popping up if you aren't using the .jnlp file that comes along with the 
new code, i strongly recommend downloading a new version, packaging it from 
something like netbeans or whatever, and then using the steps I showed on how 
to sign the newly created .jar file. That box will always pop up unless you 
lower your security settings, or use the jnlp method. 

Aaron M.

Original comment by aaron.ma...@gmail.com on 22 Jan 2014 at 8:09

GoogleCodeExporter commented 8 years ago
Why does it says Aaron Mathis?  Please download the latest or contact 
sales@qzindustries.com for a trusted signature.  This bug report is not a 
support forum.

-Tres

Original comment by tres.fin...@gmail.com on 22 Jan 2014 at 8:22

GoogleCodeExporter commented 8 years ago
Well he is using my jar signed filed, so when i use my own jar signer its gonna 
include my name, hence why i told people to use yours, or pay for the product, 
i just posted mine so people knew how to recreate the process, they aren't 
suppose to use it. Thats an old cert anyways, it won't even work with newer 
stuff lol. 

Tres is right though, contact the support through qz bud.

Aaron

Original comment by aaron.ma...@gmail.com on 22 Jan 2014 at 8:32

GoogleCodeExporter commented 8 years ago
It is exact : I use the jZebra.jar coming from Aaron. Thanks to him.
I understand it is normal I have a message with his name.

Now, I want no popup for my user.
I am not able to create a jar with NetBeans 
I have a unique user, a little user for this module, and I am alone.

When TRES says to "download the latest"  OR contact sales@qzindustries.com , I 
understand it is possible to download a latest FREE version of jZebra.jar, and 
it will work without Popup ? 

Please Tres, could you give me the URL to download this free version ?

Thanks for all 

Jean-Pierre

Original comment by ltr...@gmail.com on 30 Jan 2014 at 5:52

GoogleCodeExporter commented 8 years ago
Version 1.8.0 will display an error, which can be suppressed via several 
methods depending on your Java Version and whether you are using a self-signed 
or trusted-signed version.

If you have downloaded 1.8.0-free and followed the instructions for importing 
the self-signed certificate, then you should be working.  If not, contact the 
mailing list please.

Please contact Aaron personally if you need support with his signed version of 
the applet.

-Tres

Original comment by tres.fin...@gmail.com on 30 Jan 2014 at 2:39

GoogleCodeExporter commented 8 years ago
I use Java 7.51
I use a self-signed version
Should I use

<applet id="qz" name="QZ Print Plugin" code="qz.PrintApplet.class" 
archive="./qz-print.jar" width="100" height="100">

instead of 

<applet name="jzebra" code="jzebra.PrintApplet.class" archive="./jzebra.jar" 
width="100" height="100" border=2 >

and use the qz-free.jar 108 kO     and the   qz-free.csr ???

Original comment by ltr...@gmail.com on 30 Jan 2014 at 8:04

GoogleCodeExporter commented 8 years ago
@ltrjpg, yes, also make sure to include the jnlp_href stuff found in 
sample.html's applet tags (which are commented out, but valid and updated).

-Tres

Original comment by tres.fin...@gmail.com on 30 Jan 2014 at 9:14

GoogleCodeExporter commented 8 years ago
Forgot to mention, you can keep name="jzebra" if you wish, which will allow 
some of your JavaScript to remain unchanged.  Newer versions use "id", which is 
recommended over "name", but "name" will work.

Original comment by tres.fin...@gmail.com on 30 Jan 2014 at 9:16

GoogleCodeExporter commented 8 years ago
Thanks Tres.  I have installe the qz-print.jar on the server side
And have this applet in the page

<applet id="qz" name="QZ Print Plugin" code="qz.PrintApplet.class" 
archive="./qz-print.jar" width="100" height="100">
      <param name="printer" value="thermique">
</applet>  

and use these commands 

   document.qz.append(  .........);

I have Imported the certificate qz-free.csr   into Signer CA section of Java 
Control Panel (Security Tab). 

My question is :   is it mandatory to include  the <<jnlp_href  stuff found in 
sample.html's applet tags (which are commented out, but valid and updated)>>  ?

Thanks

Jean-Pierre 

Original comment by ltr...@gmail.com on 1 Feb 2014 at 2:02

GoogleCodeExporter commented 8 years ago
@Jean-Pierre,

> My question is :   is it mandatory to include  the <<jnlp_href  stuff found in
> sample.html's applet tags (which are commented out, but valid and updated)>>  
?

Yes.  jnlp_href is a new parameter since we've switched to using the Java 
Network Launching Protocol for loading the applet (Also known as "WebStart").

This "jnlp_href" parameter must be passed in as part of the <applet> tags, or 
as part of the deployJava.js script.  Without it, launching the applet will 
fail.

Older Java versions (Java 6 Update 39 and older) do not accept this parameter, 
hence the deployJava script, which can be tweaked to remove it (see Issue 178).

-Tres

-Tres

Original comment by tres.fin...@gmail.com on 1 Feb 2014 at 3:30

GoogleCodeExporter commented 8 years ago
I have an error message
What I have done is
1) put the qz-print_jnlp.jnlp  on the server side
2) put this javascript code at the beginning of the my page

deployQZ();

function deployQZ() {
        var attributes = {id: "qz", code:'qz.PrintApplet.class', 
            archive:'qz-print.jar', width:1, height:1};
        var parameters = {jnlp_href: 'qz-print_jnlp.jnlp', 
            cache_option:'plugin', disable_logging:'false', 
            initial_focus:'false'};
        if (deployJava.versionCheck("1.7+") == true) {}
        else if (deployJava.versionCheck("1.6+") == true) {
            attributes['archive'] = './qz-print.jar';
            parameters['jnlp_href'] = './qz-print_jnlp.jnlp';
        }
        deployJava.runApplet(attributes, parameters, '1.5');
}

I think it is not the good way.  Could you indicate me the way ?

Jean-Pierre

Original comment by ltr...@gmail.com on 2 Feb 2014 at 7:16

Attachments:

GoogleCodeExporter commented 8 years ago
I've answered this question in Issue 178.

Original comment by tres.fin...@gmail.com on 2 Feb 2014 at 4:26

GoogleCodeExporter commented 8 years ago
I have seen th Issue 178 and changed my Javascript Code  which is now :

deployQZ();

function deployQZ() {
        var attributes = {id: "qz", code:'qz.PrintApplet.class', 
            archive:'qz-print.jar', width:1, height:1};
        var parameters = {jnlp_href: 'qz-print_jnlp.jnlp', 
            cache_option:'plugin', disable_logging:'false', 
            initial_focus:'false'};
        if (deployJava.versionCheck("1.7+") == true) {}
        else if (deployJava.versionCheck("1.6+") == true) {
            attributes['archive'] = './qz-print.jar';
            delete parameters['jnlp_href'];
        }
        deployJava.runApplet(attributes, parameters, '1.5');
}

But I have always the same error for JNLP

Have you any idea ? 

Thanks -  Jean-Pierre

Original comment by ltr...@gmail.com on 3 Feb 2014 at 7:42

GoogleCodeExporter commented 8 years ago
@Jean-Pierre,
I've recommended this many times now, please post a detailed message to the 
jzebra-users@googlegroups.com mailing list.  This bug tracker is the wrong 
place to keep asking support questions.

-Tres

Original comment by tres.fin...@gmail.com on 3 Feb 2014 at 10:02

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I did follow the same step Aaron told in file (corrected some steps though) and 
created certificate and import in FF too.
But still that nasty popup comes. Have anybody successful with latest code of 
qz jZebra ?
I run following code

keytool -genkey -keystore myqzstore -validity 3650 -alias myqzalias
jarsigner -keystore myqzstore qz-print.jar myqzalias
keytool -exportcert -keystore myqzstore -alias myqzalias -file qzcert.cer

renamed qzcert.cer to qzcert.csr and imported import 

Is purchasing premium version is only the way ? 

@Aaron/tres , please help to find a way.

Original comment by pparesh...@gmail.com on 22 Jan 2015 at 2:33

GoogleCodeExporter commented 8 years ago
Just import the qz free cert into Java's Signer CA section.  You don't have to 
generate any keys.

Original comment by tres.fin...@gmail.com on 22 Jan 2015 at 5:34

GoogleCodeExporter commented 8 years ago
I haven't done much with the cert stuff in a while. I have since written a new 
applet for printing because I needed more use with normal desktop printers, but 
the certificate stuff is still the same. I recommend just buying the full 
version from Tres and QZ. It will be less hassle in the long run. I convinced 
my company to be a verified certificate and no longer worry about java warnings 
anymore.

however If you have to have free version. You must import the .csr file into 
the Signer CA section done through Control Panel -> Java (32-bit) -> Security 
Tab and follow on screen instructions there.

Original comment by aaron.ma...@gmail.com on 22 Jan 2015 at 7:28