phase4: Problem with OCSP certificate revocation check in Java 17u4 and later
Hi Philip, I’m currently encountering an issue while testing with the new 2.1.0 release. I’m using Spring Boot 3.
When I start the Access Point and send a message to customer A, the transmission is successful. While the application is still running, I send a message to customer B. The transmission fails with the following error:
com.helger.phase4.peppol.Phase4PeppolException: The configured receiver AP certificate is not valid (at 2023-05-05T09:28:22.546313412+02:00) and cannot be used for sending. Aborting. Reason: certificate is revoked at com.helger.phase4.peppol.Phase4PeppolSender._checkReceiverAPCert(Phase4PeppolSender.java:280 undefined) ~[phase4-peppol-client-2.1.0.jar!/:2.1.0] at com.helger.phase4.peppol.Phase4PeppolSender$AbstractPeppolUserMessageBuilder.finishFields(Phase4PeppolSender.java:652 undefined) ~[phase4-peppol-client-2.1.0.jar!/:2.1.0] at com.helger.phase4.peppol.Phase4PeppolSender$Builder.finishFields(Phase4PeppolSender.java:1061 undefined) ~[phase4-peppol-client-2.1.0.jar!/:2.1.0] at com.helger.phase4.sender.AbstractAS4MessageBuilder.sendMessage(AbstractAS4MessageBuilder.java:605 undefined) ~[phase4-lib-2.1.0.jar!/:2.1.0]
If however I restart the application and send a message to customer B first, it succeeds. When I try to send a message to customer A then, it fails with the same exception.
The transmission keeps failing until I restart the application. Let me know if you need additional logs. I skimmed through the code of phase4 and peppol-commons but did not find any obvious error yet.
About this issue
- Original URL
- State: open
- Created a year ago
- Comments: 46 (27 by maintainers)
The server behaves correctly IMHO, as there is either a Content-Length or a Transfer-Encoding header (presumeably “chunked”), so I guess we have to wait for a JDK update here. Thanks for the analysis, followed with interest 😃
No, unfortunately not. I am more in favour of reverting to 17.0.3 for now. Or even Java 11 😄 - let see if Java 17 gets some change in the next release 17.0.9 …
Good catch. I never thought that the introduction of GET may also be cause of the problems. Seems like they also do trial and error in a way 😉 So going back to 17.0.3 could resolve the error.
Direct link to the bug tracker: https://bugs.openjdk.org/browse/JDK-8315979
Has been accepted https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8315979
To me it looks like the issue is still persistent (in a way) in 17.0.8 - need to investigate
So the Adoptium update 17.0.8 is out. I am closing this issue now.
No idea - sorry. I think that is vendor dependent but will happen asap (I hope 😉 )
The fix is supposed to be in Java 17.0.8 which is scheduled to be released 2023-07-18 according to https://www.java.com/releases/
PR for the fix is already opened https://github.com/openjdk/jdk17u-dev/pull/1361
The bug has been accepted and you can follow under https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8308255
Wow, nice investigation! I don’t know why but my stacktraces were cut off before the interesting stuff… Let’s see what will come out of this.
That does seem to work for now. Though I could not reproduce the strange behavior I described initally before I made the change. I’ll do some further testing next week. Thanks!