OF-2134: Add option to enable certificate revocation checks #2610
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
viv
changed the title
|
I am planning to add the documentation changes to this PR but won't get a chance to do that until tomorrow. |
guusdk
reviewed
Nov 19, 2024
When enabled, certificates will be verified against Certificate Revocation Lists (CRL) and through Online Certificate Status Protocol (OCSP) to ensure they have not been revoked.
- Permit client-driven OCSP (has no effect unless revocation checking is also enabled) by adding property to java.security settings. - Enable OCSP stapling by specifying jdk.tls.server.enableStatusRequestExtension=true Java system property. With this default configuration: - as a client: Openfire will behave in the same way as it did prior to this commit. - as a server: Openfire will staple OCSP responses when presenting its certificate if the certificate is configured with an OCSP responder and Openfire receives a response from the listed responder, otherwise the certificate will be presented with no OCSP response (the default behaviour prior to this commit). For further configuration options see: https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-527BAE97-3B78-4390-A479-623BD998C4EE
viv
force-pushed
the
OF-2134_cert-revocation-support
branch
from
c073eec
to
42de835
Compare
|
We've discussed this in a video call, but I'd like to capture two points that may need additional attention:
|
Prior to this change, if the TLS handshake failed (e.g. if certificate validation did not succeed), an error stanza would be returned to the TLS client with the misleading message "An error occurred in XMPP Decoder".
… not If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When enabled, certificates will be verified against Certificate Revocation Lists (CRL) and through Online Certificate Status Protocol (OCSP) to ensure they have not been revoked.
Additional settings are required to support OCSP, I plan to add these shortly.