JDK 1.7 jarsigner with https tsa no longer works

Question

It seems like Thawte root certificates in JDK 1.7.0_80 is revoked. https://www.thawte.com/roots/retired.html

Using the 7u80 jarsigner no longer works and it worked fine just a few days ago.

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jarsigner: unable to sign jar: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

I tried to import Thawtes Timestamping CA certificate into cacerts after deleting the old one.

wget https://www.thawte.com/roots/Thawte_Timestamping_CA.pem

/usr/java/jdk1.7.0_80/bin/keytool -import -trustcacerts -alias verisigntsaca -file Thawte_Timestamping_CA.pem -keystore jre/lib/security/cacerts 
Enter keystore password:  
Trust this certificate? [no]:  yes
Certificate was added to keystore

Using jarsigner from JDK 8u60 works, so I tried to copy its cacerts to JDK7, but that did not work either.

We cannot compile yet with Java 8, because of Javadoc errors. The only solutions I see is to create symlink in JDK7 to JDK8 jarsigner.

/usr/java/jdk1.8.0_60/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jar signed.

If I switch tsa from geotrust to digicert it works fine with JDK 7, because they do not use https. http://timestamp.digicert.com/

Answer 1

I also only experienced this issue in the last 12 hours. This issue is not to do with certificates but rather to do with the protocol used to communicate with the timestamp server. This will work with JDK7, however you need to add the following to the jarsigner command

-J-Dhttps.protocols=TLSv1.2

Therefore, your command will look like:

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -J-Dhttps.protocols=TLSv1.2 -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp

It seems that GeoTrust have disabled use of TLS version 1.0 which is the default in Java 7. The following links provide more information on this:

GeoTrust Partner: Disable of Transport Layer Security (TLS) version 1.0 protocol

Diagnosing TLS, SSL, and HTTPS

Hope this helps.

Answer 2

From the GeoTrust link it seems like all one needs is TLSv1.1, and from the "Diagnosing TLS, SSL, and HTTPS" link it seems like the earliest Java version that supports TLSv1.1 is JDK 6 update 111. So the solution might work as far back as those versions.

I haven't switched to JDK 6 update 111 to test this; I'm waiting to hear from customers who have been stuck on older Java versions to see how modern a version of Java we can use without cutting them off.

Addendum: the customers are on JDK8 so I just switched to that and as suggested above, this worked without needing -J-Dhttps.protocols=TLSv1.2 because TLSv1.2 is the default for JDK 8.

Answer 3

user1638152's answer is definitely right. Just adding this information if someone is having the same issues and jar signing is done using Apache Ant.

Adding the following line inside the signjar task:

<sysproperty key="https.protocols" value="TLSv1.2" />

This does exactly the same thing as the "-J-Dhttps.protocols=TLSv1.2" does in command line.

Answer 4

Have in mind that https://timestamp.geotrust.com/tsa is not longer available, you should use http://sha256timestamp.ws.symantec.com/sha256/timestamp instead.

See this Is http://timestamp.geotrust.com/tsa not longer available for SignTool? to know more about it.