AVtech, anytime & anywhere certificate expired

Hi everyone,

I'm using the AV Tech Video Web Server through an AVtech AVC792 and it was all fine for the last 2 years. Today i've tried after a while (6 month) to login but after I tried to view the camers a java applet problem appeared.

The whole exception is this:

java.security.cert.CertificateRevokedException: Certificate has been revoked, reason: AFFILIATION_CHANGED, revocation date: Fri Jun 04 12:40:07 CEST 2010, authority: CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa ©09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US, extensions: {}

at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)

at com.sun.deploy.security.RevocationChecker.check(Unknown Source)

at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)

at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)

at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)

at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)

at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)

at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$JarLoader.(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)

at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)

at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)

at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)

at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

I flashed the last firmware update but the error still appears.

The error appears in Firefox and Internet Explorer.

Does anyone have an idea or hear something about a certification problem?

Hi,

I can see the exact same problem on my AVD744. After googling without any results I digged a bit deeper and figured out that there are multiple problems that prevent one from using the java plugin:

1. The end date of the certificate

After extracting I checked the start and end dates of the certificate, which are:

        Validity
           Not Before: Jun  4 00:00:00 2010 GMT
           Not After : Jun  3 23:59:59 2012 GMT

As we can see it is already invalid since June, 4th 2012 - which means: for over a year now.

2. The cert's revocation date and the latest Java updates

After Java update 20, Oracle enabled the OCSP feature by default, which let's Java lookup the revocation state of the cert via the OCSP service on Verisign's homepage. I did that too and got the following information:

certs.pem: revoked
       This Update: Jul 27 16:16:11 2013 GMT
       Next Update: Oct 18 21:00:52 2013 GMT
       Reason: affiliationChanged
       Revocation Time: Jun  4 10:40:07 2010 GMT

So this means that the cert has been revoked on June 4th, 2010 because the affiliation of the cert changed. And that everybody has been using an invalid cert since that day. After the Java update enabled the ocsp lookup it went invalid completely as the revocation of the cert became finally known to Java itself...

Judging on the fact that the cert has been revoked in 2010 and that AVTech knows about this since 2010 AND that nothing has happened so far, I don't assume they're going to offer a new version with a corrected certificate.

Fixing the problem would involve patching the firmware to use a different or no certificate at all. If anybody has some info on the format of the firmware files I may be able todo it.

KR,

S.

For a friend I installed two cctv systems that seem to be DVR4H3's from AVTech and of course I ran into the same certificate issues.

I work with Linux on my machines, so I wanted to use Firefox to display the webinterface remotely. Having a java-spin called IcedTea (1.6.x) did not work, so I installed Sun's Java version 7 and presto: The applets load. I did have to turn off all security measures and disallow the checking of old certificates as well, in order for the applets to run. This is not only not ideal, but it poses direct security threats, as it invites people to invoke dangerous behaviour with their browser settings. It requires them to accept circumstances in which they no longer can expect themselves to be protected from all sorts of digital harm.

I live and work in Europe where, according to Wiki, there are some rules regarding those certificates. I wonder if that's applicable to these dvr certificates as well.

http://en.wikipedia.org/wiki/Public_key_certificate#Usage_in_the_European_Union

Been a problem with avtech for a long time

Remove all remote viewing software from pc ...... Then rest date on pc to September 2010 once loaded and working the return date back on pc

Oh and comparability mode has to be ticked while on 2010 date

Been a problem with avtech for a long time

A shame. And I can't help but wonder, how legal it is to sell devices without the appropriate security certificates.

Remove all remote viewing software from pc ...... Then rest date on pc to September 2010 once loaded and working the return date back on pc

You mean on the device I use to watch the streams? Than I would have to change lots of them, as I only set this system up for the owners, whom will want to access/watch these streams from a range of devices.

Oh and comparability mode has to be ticked while on 2010 date

Isn't that for Windows? Clients both use Mac/Linux.

I was wondering: If I am not mistaken, these avtech devices run some form of embedded linux, is that correct? Is it not possible to ssh into the machine and provide it with a new/altered certificate?

I found a workaround for this problem:

- Open Control Panel, Java, Advanced tab

- Look for "Perform certification revocation cheks on" and select the "Do not check" option.

Needless to say, this setting opens a security hole in the system, so double check the sites you visit.

Shame on Avtech for non-existent product support!

In Control Panel -> Java you will follow next steps:

I am having the same problem with Certification

Has AVtech done something to over come the problem.

please help , if someone got a solution.

regds

Suniljay

If someone has a solution please........................

suniljay123@yahoo.co.uk

Hi,

You can see belfore your post my solution to this problem. Avtech is no longer exist as a company so you will not have a solution from them anymore.