Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve cert revocation validation #2152

Merged
merged 7 commits into from
Mar 1, 2024
Merged

Improve cert revocation validation #2152

merged 7 commits into from
Mar 1, 2024

Conversation

Akila94
Copy link
Member

@Akila94 Akila94 commented Feb 26, 2024
edited
Loading

Purpose

  • This improvement contains the certificate revocation validation improvement so the validation can be done without the full certificate chain sent in the request.

  • The validation can also be done when only one intermediate client certificate is sent in the request. For this to happen the immediate issuer of that certificate should contain in the client trust store.

  • Also a cert cache (LRU) is implemented to keep the issuer certificate found after traversing the client trust store.

  • One of the following configurations can be used to enable this improvement,

  1. Enforce glocally using axis2.xml. The following configuration should be added inside the <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpMultiSSLListener">.
<parameter name="CertificateRevocationVerifier" enable="true">
    <CacheSize>50</CacheSize>
    <CacheDelay>15</CacheDelay>
    <FullChainValidation>false</FullChainValidation>
    <ExpiryValidation>true</ExpiryValidation>
</parameter>
  1. Enforce per security listener profile. The following configuration should be added inside the relevant profile.
<CertificateRevocationVerifier>
    <Enable>true</Enable>
    <CacheSize>50</CacheSize>
    <CacheDelay>15</CacheDelay>
    <FullChainValidation>false</FullChainValidation>
    <ExpiryValidation>true</ExpiryValidation>
</CertificateRevocationVerifier>

This also fixes the test failures that occurred in the issue: #2146

@Akila94 Akila94 requested a review from isudana February 26, 2024 04:38
@Akila94 Akila94 mentioned this pull request Feb 26, 2024
Merged
@Akila94 Akila94 force-pushed the cert-revocation-synapse-improvement-2 branch from fa9c7b0 to bf474a0 Compare February 27, 2024 08:38
@Akila94 Akila94 closed this Feb 28, 2024
@Akila94 Akila94 reopened this Feb 28, 2024
@Akila94 Akila94 force-pushed the cert-revocation-synapse-improvement-2 branch from bf474a0 to 83a7566 Compare February 29, 2024 08:56
@Akila94 Akila94 requested a review from arunans23 February 29, 2024 09:37
@Akila94 Akila94 closed this Feb 29, 2024
@Akila94 Akila94 reopened this Feb 29, 2024
@arunans23 arunans23 merged commit c24353d into wso2:master Mar 1, 2024
1 of 2 checks passed
This was referenced Mar 2, 2024
Merged
Merged
@Akila94 Akila94 mentioned this pull request Mar 11, 2024
Merged
shilmyhasan pushed a commit to shilmyhasan/wso2-synapse-1 that referenced this pull request Aug 28, 2024
@HiranyaKavishani
Merge pull request wso2#2152 from HiranyaKavishani/support-2.1.7-wso2…
79999f4 
…v183.x-full

Adding a new synapse property to disable MBean creation for Endpoints
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arunans23 arunans23 arunans23 approved these changes

@isudana isudana Awaiting requested review from isudana

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Akila94 @arunans23