|Recent Forum Topics Got a weird one - Th...||I'm a crybaby SJW an...||Crown of Sand IX Fin...|
Posted by: Christer on Monday, December 12, 2016 - 16:18
With the new rules update that was recently released, work has slowly begun to implement some of the changes into the FFB client.
While we're not giving any promises for when this update will be released, there is a technical hoop for me to jump through. All java code that is runnable from a web context (ie, a browser) must be signed. To do this, a code signing certificate is used. These work more or less like an SSL certificate, except they are more expensive.
I have already sorted out the certificate on my end, but there is a slight issue with modern certificates. Over the last couple of years, the Internet (and world in general) has switched to a more secure underlying method for these certificates (specifically, the hash algorithm used has gone from SHA1 to SHA2). This in itself is a good thing(tm). As part of this process, what's called the "Root CA certificate" from the provider I use for code signing certificates has been switched to a new one (also signed with SHA2). This is also a good thing.
So you're asking yourself "Ok, so what's the problem?". FUMBBL has a relatively large number of users. Some of you have computers that are getting a bit old. And even more specifically, some of you have machines that can not run Java versions newer than Java 6 (Old mac computers, running MacOS older than Lion). From my quick look at the analytics, this is roughly 0.5% of you.
Now, with Java 6 being quite old, it's no longer being updated. No updates means that the built-in store of Root CA certificates isn't being updated. And that's the problem. Those of you who are running old versions of Java don't have the new Root CA certificate installed, which will cause some problems.
In theory, it would be possible to install this specific root CA into an old version of Java, but I have no reasonable way to verify if this would actually work.
If you have an old machine (in particular a mac running snow leopard or earlier with the last Apple-distributed Java), and a relatively technical mind, it would be great if you could get in touch with me. I have a very simple test application (which effectively does nothing) that I would like to see tested in an environment like that. Initially, it will probably fail, but I am hoping to be able to get it to a functional state by installing the correct root CA. If that doesn't work, things will get complicated..
For most of you, this doesn't really change much. You're already running a recent version of Java (Java 8 update 111 as I write this), which is what I always recommend. If so, consider this more of a public announcement that the certificate will be changing with the next FFB client update and you may get a warning that asks you if you trust me.
|Java certificate update | Login/Create an account | 1 Comment|
|Comments are owned by the poster. We aren't responsible for their content.|
Re: Java certificate update
by Alzhaid on Dec 12, 2016 - 17:29
(User info | Send a message)
Could it be helpful to install an old Apple-distributed Java version in a nowadays Mac? I can get my hands on a Mac but it's not old, I thought I could:
- Uninstall Java following this: https://java.com/en/download/help/mac_uninstall_java.xml
- Download Apple-distributed Java from here: https://support.apple.com/kb/DL1573?viewlocale=en_US&locale=en_US
This seems to be the version shipped for Snow Leopard. I don't know if it's possible to install it in a current Mac OS.
- Test your application, and reinstall Oracle-distributed Java to leave the Mac as it was.
Maybe this is useless if in nowadays Mac OS the CA's certificates are handled outside of the Java installation, and therefore in this nowadays Mac the correct CA certificate would be available even if I uninstall Java. I really don't know much about Mac (but I do have experience with certificate problems in Windows and Linux hehe).