Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5226

No acceptedIssuers is sent when CRLs are configured

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 15.0.0.Final
    • Component/s: None
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Configure a trust-amanger like this :

       <trust-manager name="MyTrustManager" key-store="MyTrustStore" >
       <certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> 
       </trust-manager>

      issue an openssl s_client -connect <host:port>

      Result is something like that => No client certificate CA names sent

      ---
      No client certificate CA names sent
      Client Certificate Types: ECDSA sign, RSA sign, DSA sign
      Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
      Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
      Peer signing digest: SHA256
      Peer signature type: RSA
      Server Temp Key: ECDH, P-256, 256 bits
      ---

      If you comment CRL

       <!-- 
      <certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" />  
      -->
      

      Then everything is working fine

      Show
      Configure a trust-amanger like this : <trust-manager name= "MyTrustManager" key-store= "MyTrustStore" > <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> </trust-manager> issue an openssl s_client -connect <host:port> Result is something like that => No client certificate CA names sent --- No client certificate CA names sent Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- If you comment CRL <!-- <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> --> Then everything is working fine
    • [QE] How to address?:
      ---
    • [QE] Why QE missed?:
      ---

      Description

      When CRLs are configured there're no client certificate CA names sent for a tls 2 way connexion.

      Method setAcceptedIssuers of X509RevocationTrustManager builder is never called, so acceptedIssuers is always empty.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              szaldana Sonia Zaldana
              Reporter:
              dmaffrand David MAFFRAND (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: