Java Applet 'plugin not available' and certificate problems

Hi,

One of our members is experiencing problems with running the
Java Applet.

I understand that we need to request that you rebuild with a
certificate for our specific version – 5.9.1 (I had a look at these posts http://www.chemaxon.com/blog/java-updates-security-certificates-and-marvin-in-your-browser-2/  https://www.chemaxon.com/forum/ftopic11561.html
)

The other issue here is that this member would like to use Java
1.6.0_45 however they are not getting the warning message here, they are
getting an error about a missing plugin. Please take a look at the message
below received from this member:

It runs Java JRE
1.6.0_26  and shows the warning about the
expired certificate but it does work in Internet Explorer v. 8

On my machines, we
tried with Java 1.6.0_45 (32 bits) on Windows 64 bits which did not work. It
showed the error about the missing plugin ( incorrect error because it was
present). We finally got it working with the Java 7 plugin.

 

Note that the code
certificate expired error is unrelated to the version ( it should be fixed
anyway ). It only looks like more recent java versions handle that error more
strictly.

In other words it
would still run on older versions while more recent versions do not accept that
certificate anymore. They can test that using successive versions of Java but
it should definitely also work with the fully patched latest Java 6 release.( Java
1.6.0_45)

 

A second security
related  error message is: This
application will be blocked in a future Java security update because the JAR
file manifest does not contain the Permissions attribute.

 

The manifest
attributes that control such permissions are currently missing.

 

From the console
output :

 

Missing
Application-Name: manifest attribute for: http://wprdbes4ckgd7/vitic1-0/marvin/appletlaunch.jar

Missing Permissions
manifest attribute for: http://wprdbes4ckgd7/vitic1-0/marvin/appletlaunch.jar

Missing Codebase
manifest attribute for: http://wprdbes4ckgd7/vitic1-0/marvin/appletlaunch.jar

Missing
Application-Name: manifest attribute for: http://wprdbes4ckgd7/vitic1-0/marvin/appletlaunch.jar

Missing Permissions
manifest attribute for: http://wprdbes4ckgd7/vitic1-0/marvin/appletlaunch.jar

Missing Codebase
manifest attribute for: http://wprdbes4ckgd7/vitic1-0/marvin/appletlaunch.jar

…..

 

… more of the same

 

That should be
fixed because as Oracle indicates, in the near future such applets will no
longer be allowed to run at all.

 

Can you suggest why the applet will not run at all with
1.6.0_45? Do you think a rebuild from yourselves will resolve the certificate
issue this member is experiencing?

 

Thanks,

Jade

Hi Jade,

I move your question to the group Marvin topics.

Krisztina

Dear Jade!

   Recently we have wrote about the problem of expiring JRE-s. It is possible that some of your problems come from the fact that current security baseline is 1.6.0_61 for java 1.6.0 (which is not available for public only for paying customers). Java 1.6.0_26 can not accept some of our signings because they have become standards after the release of 1.6.0_26.
   It is possible that you have an old version that runs with the new sign but throws security warnings and you can update to a newer one that does not work until you update to the latest JRE. And the newer JRE might not accept the older Marvin since it can not be signed with certificates that were introduced after the release of our software.
   We have requested a resigned version of Marvin 5.9.1, please be patient while we ship it to you.

Regards:
Balázs 

Hi Jade,

 

I am glad to inform you that the applet with the new signing is ready and you can download it from this page: https://www.chemaxon.com/download.php?d=/data/download/marvin/5.9.1/marvin-bin-5.9.1-signed-patch-Java7u45.zip

Best regards,

Efi

Hi

We are using the signed version of the Marvin applet downloaded from here: https://www.chemaxon.com/download.php?d=/data/download/marvin/5.9.1/marvin-bin-5.9.1-signed-patch-Java7u45.zip

However the certificate expired on 9th Jan 2015 see 

https://docs.chemaxon.com/display/marvinsketch/Expiration+date+of+releases  when do you plan to release an updated 5.9.1. version with a signed certificate?

Regards

Paul

Hi Paul,

we usually do the resign process on demand, and do not recreate older versions automatically.

So if you need to have a specific version resigned with the new certificates, please contact us at marvin-gui-support _at_ chemaxon.com and please provide the domain name of the site where you embed the applet, so we can create a package that contains all the necessary information to conform with the current java security rules.

Regards,
Istvan 

Hi Istvan

Sorry I'm not an expert in certificates/security rules. We supply the Marvin applet with our product to a number of Lhasa members so there is not a single domain we can specify. Is it not possible to have a non domain specific certificate? Did the the previous signed applet work like that?

Regards Paul

Hi,

the problem splits to two part. One part of the problem is the expired certificate, we can solve that easily by creating a patch for the applet package in question which has the jar files signed with our new certificate that is not expired.

The other part of the problem is the recent security changes in Java. You can find exact information on this page about them: https://www.java.com/en/download/faq/signed_code.xml

The domain related part of the changes in a nutshell: the applet jar files meta information need to contain the origin of the applet, to conform with the current default security policies of the Java plugin, and since this information can only be included in the jar files, it can not be updated without signing the jar files again after the modification.
There is a possibility to specify a wildcard that cover all the domains, but if such a wildcard is specified in the applet package, the user will see a security warning when the applet loads, and to disable that the user has to make actions and add the site to the exception list on the Java Control Panel Security tab, or every time he or she need to accept the security risk prompt and allow the applet to run. If the user accept the risks, then the applet is allowed and able to run with the wildcard specified. So if this is acceptable for you, then we can specify the wildcard in the resigned applet package also.

Regards,
Istvan 

Hi Istvan

Thank you for the explanation, I just want to double check this part of it.....

or every time he or she need to accept the
security risk prompt and allow the applet to run. If the user accept the
risks, then the applet is allowed and able to run with the wildcard
specified.

Previously when you got a security risk prompt when the applet loaded on the page the user could accept the risk and tick a box saying something like 'always accept' or 'don't ask me next time'.  Is that no longer possible? Are you saying that if the domain is specified as a wild card the user will get the risk warning every time the page with the applet is opened in the browser, there is will be no option to 'always accept' or 'don't ask me next time'?

Regards Paul

Hi,

yes you are right, I have checked it, there is a possibility to accept the risk permanently for a given application on a given domain. So it seem we just need to resign the applet version for you with our most recent still valid certificate, and specify the wildcard for any domain. Am I right?

Istvan

Hi

Yes that might be it, thank you for your help so far. I'm just checking internally if we will be requesting this or not or if the workround of adding the site to the java console security exception list will be OK. I'll let you know.

Regards Paul

On my machines, we tried with Java 1.6.0_45 (32 bits) on Windows 64 bits which did not work. It showed the error about the missing plugin ( incorrect error because it was present). We finally got it working with the Java 7 plugin.????

 

 

 

lol