Allowing unsigned Java applications on all sites
Java 8u25
Warning: These settings expose security vulnerabilities known to Java. Not for the the average user.
I was having a lot of tools blocked by Java. I set the options below and then added to the site exception list. I was then able to run all of my older applets that were previously blocked after a browser restart.
Advanced:
**JNLP File/MIME Association - Always allow
**Secure Execution Environment - Uncheck Show sandbox warning banner, uncheck warn if site certificate does not match hostname, uncheck show site certificate from server even if it is valid
**Mixed code - Disable verification
**Perform certificate revocation checks on - Do not check
**Advanced Security Settings - Uncheck enable blacklist revocation check
Security:
**Add the site to Security tab > edit site list > add button > type URL or IP.
[Doesn't work in Java 8+]
Go to the Java Control Panel. In the Security Tab put the security to Medium and if the applet is not signed but doesn't require full permissions it should run. If it needs full permissions. This will prompt you for continuing. See details here: http://www.java.com/en/download/help/jcp_security.xml
As for Chrome if you enter in chrome://plugins under Java plugin settings you can also set "always allow" not to see the prompt.
I had issues with running an app signed with MD5 with RSA. I found the following solution worked for me:
From https://forums.freenas.org/index.php?threads/psa-java-8-update-131-breaks-asrocks-ipmi-virtual-console.53911/:
all applications signed by MD5withRSA are now treated by "unapproved"
but luckily you can quickly override this by updating C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\java.security
For MACOS X /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
OR
/Library/Java/JavaVirtualMachines/jdk1.8.0_131.jdk/Contents/Home/jre/lib/security/java.security
i've opened java.security file with notepad and made next few changes (removed MD5 exclusion):
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \ EC keySize < 224
jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ DH_RSA_EXPORT, RSA_EXPORT, \ DH_anon, ECDH_anon, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \ 3DES_EDE_CBC, \ SSL_RSA_WITH_RC4_128_MD5
ig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ minKeySize RSA 1024,\ minKeySize DSA 1024,\ noDuplicateIds,\ noRetrievalMethodLoops
If you continue to receive this error after adding the site to the exceptions list of the Java control panel, try editing [JRE install directory]\lib\security\java.policy
Inside the grant block, add
permission java.net.SocketPermission "192.168.50.116:5900", "connect,resolve";
Substitute your host/IP and port.
You can edit the exception site list in a text editor (eg Notepad++). I used Excel to auto-fill a range (eg https://192.168.1.1 -> https://192.168.1.255). I then copied and pasted this into the exception.sites file.
C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
The exceptions then show up in the Java Control Panel exception list.