So I’m trying to upgrade my Ansible server to the newest OpenBSD snapshot, which involves working at the console. I go to my virtual server control panel, click on the link to the Java applet, and get told that Java won’t run this application.
Turns out that Java has trusted self-signed certificates for applications until now, relying on blacklists rather than whitelists. I simultaneously applaud this move away from enumerating badness and condemn them for temporarily inconveniencing me.
To whitelist a specific site, open the Java configuration applet. For Windows users, this is the Java Control Panel. Open the Security tab. About 2/3 of the way down, there’s an “Edit site list” option. Add the desired web site.
Java will then run applets from that web site.
What Oracle did is more insidious.
As of last year, Java 7 JRE updates from Oracle now have a defined expiration date baked in them,, as a way of “encouraging” you to keep current. If they can’t contact the mother ship and download a current JRE, they assume that they’re out-of-date and can bury their head in the proverbial sand. This can simply result in nagging you, or may be worse depending on what Oracle decides they want to do. Generally, you might need to muck with existing JRE installs (particularly the security settings) if you can’t update. You can find a given JRE’s expiration date in its associated relnotes.
In other words, you don’t even need to update to break things. Just the *lack* of update may break things due to the time bomb described above.
Also, the January update not only distrusts self-signed certs in the context of Java stuff invoked from a browser (applets, JavaWS), but also mandates security related fields in the JAR files that were more-or-less optional before. Effectively, what Oracle did can break “binary compatibility”, and the fact that did so in the context of an update to Java 7 rather than calling it Java 8 or somesuch is most irritating.