Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5226

No acceptedIssuers is sent when CRLs are configured

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 15.0.0.Final
    • None
    • None
    • None
    • Hide

      Configure a trust-amanger like this :

       <trust-manager name="MyTrustManager" key-store="MyTrustStore" >
 <certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> 
 </trust-manager>

      issue an openssl s_client -connect <host:port>

      Result is something like that => No client certificate CA names sent

      ---
No client certificate CA names sent
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---

      If you comment CRL

       <!-- 
<certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" />  
-->

      Then everything is working fine

      Show
      Configure a trust-amanger like this : <trust-manager name= "MyTrustManager" key-store= "MyTrustStore" > <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> </trust-manager> issue an openssl s_client -connect <host:port> Result is something like that => No client certificate CA names sent --- No client certificate CA names sent Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- If you comment CRL <!-- <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> --> Then everything is working fine
    • Undefined

    Description

      When CRLs are configured there're no client certificate CA names sent for a tls 2 way connexion.

      Method setAcceptedIssuers of X509RevocationTrustManager builder is never called, so acceptedIssuers is always empty.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-2057 No acceptedIssuers is sent when CRLs are configured

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is related to

          Bug - A problem that impairs or prevents the functions of the product. ELY-2058 Accepted Issuers should not be manually configured in X509RevocationTrustManager

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              szaldana Sonia Zaldana (Inactive)
              dmaffrand David MAFFRAND (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: