Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do cert revocation improvement to validate with only one client certificate in the request when the issuer of that cert is present in the client trust store #2119

Merged
merged 10 commits into from
Jan 29, 2024
Merged

Do cert revocation improvement to validate with only one client certificate in the request when the issuer of that cert is present in the client trust store #2119

merged 10 commits into from
Jan 29, 2024

Conversation

Akila94
Copy link
Member

@Akila94 Akila94 commented Dec 1, 2023
edited
Loading

Purpose

  • This improvement contains the certificate revocation validation improvement so the validation can be done without the full certificate chain sent in the request.

  • The validation can also be done when only one intermediate client certificate is sent in the request. For this to happen the immediate issuer of that certificate should contain in the client trust store.

  • Also a cert cache (LRU) is implemented to keep the issuer certificate found after traversing the client trust store.

  • A data holder is introduced to avoid client trust store loading multiple times for a single server start-up.

  • One of the following configurations can be used to enable this improvement,

  1. Enforce glocally using axis2.xml. The following configuration should be added inside the <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListener">.
<parameter name="CertificateRevocationVerifier" enable="true">
    <CacheSize>1024</CacheSize>
    <CacheDelay>1000</CacheDelay>
    <FullChainValidation>false</FullChainValidation>
    <ExpiryValidation>true</ExpiryValidation>
</parameter>
  1. Enforce per security listener profile. The following configuration should be added inside the relevant profile.
<CertificateRevocationVerifier>
    <Enable>true</Enable>
    <CacheSize>1024</CacheSize>
    <CacheDelay>1000</CacheDelay>
    <FullChainValidation>false</FullChainValidation>
    <ExpiryValidation>true</ExpiryValidation>
</CertificateRevocationVerifier>

@Akila94 Akila94 marked this pull request as draft December 1, 2023 03:50
@Akila94 Akila94 force-pushed the cert-revocation-synapse-improvement branch 2 times, most recently from 86bf9da to fc97e57 Compare January 4, 2024 03:38
@Akila94 Akila94 marked this pull request as ready for review January 4, 2024 04:24
@Akila94 Akila94 self-assigned this Jan 4, 2024
@Akila94 Akila94 changed the title [WIP] Do cert revocation improvement to validate without the full cert chain in the request Do cert revocation improvement to validate without the full cert chain in the request Jan 4, 2024
@Akila94 Akila94 changed the title Do cert revocation improvement to validate without the full cert chain in the request Do cert revocation improvement to validate with only one client certificate in the request Jan 4, 2024
@Akila94 Akila94 changed the title Do cert revocation improvement to validate with only one client certificate in the request Do cert revocation improvement to validate with only one client certificate in the request when the issuer of that cert is present in the client trust store Jan 4, 2024
@Akila94 Akila94 requested a review from isudana January 10, 2024 04:05
@Akila94 Akila94 force-pushed the cert-revocation-synapse-improvement branch from 90a9d11 to be79287 Compare January 22, 2024 06:19
@Akila94 Akila94 requested a review from isudana January 22, 2024 06:19
@Akila94 Akila94 force-pushed the cert-revocation-synapse-improvement branch from be79287 to 09b48b3 Compare January 23, 2024 05:10
@Akila94 Akila94 requested a review from isudana January 23, 2024 05:11
@Akila94 Akila94 force-pushed the cert-revocation-synapse-improvement branch from 09b48b3 to d02fc90 Compare January 26, 2024 09:46
@Akila94 Akila94 requested a review from isudana January 29, 2024 04:23
@isudana isudana merged commit 818856a into wso2:master Jan 29, 2024
1 of 2 checks passed
@dushaniw dushaniw mentioned this pull request Feb 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isudana isudana isudana approved these changes

Assignees

@Akila94 Akila94

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Akila94 @isudana