JDK 1.7 jarsigner with https tsa no longer works

Question

It seems like Thawte root certificates in JDK 1.7.0_80 is revoked. https://www.thawte.com/roots/retired.html

Using the 7u80 jarsigner no longer works and it worked fine just a few days ago.

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jarsigner: unable to sign jar: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

I tried to import Thawtes Timestamping CA certificate into cacerts after deleting the old one.

wget https://www.thawte.com/roots/Thawte_Timestamping_CA.pem

/usr/java/jdk1.7.0_80/bin/keytool -import -trustcacerts -alias verisigntsaca -file Thawte_Timestamping_CA.pem -keystore jre/lib/security/cacerts 
Enter keystore password:  
Trust this certificate? [no]:  yes
Certificate was added to keystore

Using jarsigner from JDK 8u60 works, so I tried to copy its cacerts to JDK7, but that did not work either.

We cannot compile yet with Java 8, because of Javadoc errors. The only solutions I see is to create symlink in JDK7 to JDK8 jarsigner.

/usr/java/jdk1.8.0_60/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jar signed.

If I switch tsa from geotrust to digicert it works fine with JDK 7, because they do not use https. http://timestamp.digicert.com/

Answer 1

I also only experienced this issue in the last 12 hours. This issue is not to do with certificates but rather to do with the protocol used to communicate with the timestamp server. This will work with JDK7, however you need to add the following to the jarsigner command

-J-Dhttps.protocols=TLSv1.2

Therefore, your command will look like:

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -J-Dhttps.protocols=TLSv1.2 -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp

It seems that GeoTrust have disabled use of TLS version 1.0 which is the default in Java 7. The following links provide more information on this:

GeoTrust Partner: Disable of Transport Layer Security (TLS) version 1.0 protocol

Diagnosing TLS, SSL, and HTTPS

Hope this helps.

Answer 2

user1638152's answer is definitely right. Just adding this information if someone is having the same issues and jar signing is done using Apache Ant.

Adding the following line inside the signjar task:

<sysproperty key="https.protocols" value="TLSv1.2" />

This does exactly the same thing as the "-J-Dhttps.protocols=TLSv1.2" does in command line.