Saturday, February 18, 2017

Chrome NET::ERR_CERT_REVOKED for a revoked certificate

connecting Chrome to a local development WebLogic that was using a WebServer certificate that was revoked in the CRL list, I got this message:

Your connection is not private Attackers might be trying to steal your information from localhost (for example, passwords, messages, or credit cards). NET::ERR_CERT_REVOKED Automatically report details of possible security incidents to Google. Privacy policy ReloadHide advanced localhost normally uses encryption to protect your information. When Google Chrome tried to connect to localhost this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be localhost, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged. You cannot visit localhost right now because this certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later.

Once I started Chrome with "chrome.exe --ignore-certificate-errors" the connection is accepted, I just get a warning "you are using an unsupported command-line flag: --ignore-certificate-errors. Stability and security will suffer "



JDB is your friend

We had recently an issue with an XML parser failing to parse a temporary file that was immediately deleted after.
How to stop execution before the file gets deleted?
I am using jdb http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jdb.html and I have created a simple test case

Start WebLogic with
set JAVA_OPTIONS=-agentlib:jdwp=transport=dt_shmem,address=jdbconn,server=y,suspend=n %JAVA_OPTIONS%

I deploy a small webapp with:

class com.pierre.MyCounter

package com.pierre;
public class MyCounter {
       static int count = 0;
       public static String getCountAsString() {
             return String.valueOf(count++);
       }
}

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ page import="com.pierre.*"  %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here bla</title>
</head>
<body>
The count is:
<%
       out.write(MyCounter.getCountAsString());
%>
 
<br/>
I hope you are happy.
 
</body>
</html>
 


web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<display-name>testjdb</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
</web-app>


Then run from a command line :
jdb -attach jdbconn


run your case once to make sure the MyCounter class has already been loaded, then run

classes

to check if the MyCounter is there, then run this to set a breakpoint:

stop at com.pierre.MyCounter:6

next time you run the jsp, the breakpoint is hit and execution stops


Sunday, February 12, 2017

Spring JDBC tutorial by JavaBrains