Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5226

No acceptedIssuers is sent when CRLs are configured

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 15.0.0.Final
    • None
    • None
    • Hide

      Configure a trust-amanger like this :

       <trust-manager name="MyTrustManager" key-store="MyTrustStore" >
       <certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> 
       </trust-manager>

      issue an openssl s_client -connect <host:port>

      Result is something like that => No client certificate CA names sent

      ---
      No client certificate CA names sent
      Client Certificate Types: ECDSA sign, RSA sign, DSA sign
      Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
      Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
      Peer signing digest: SHA256
      Peer signature type: RSA
      Server Temp Key: ECDH, P-256, 256 bits
      ---

      If you comment CRL

       <!-- 
      <certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" />  
      -->
      

      Then everything is working fine

      Show
      Configure a trust-amanger like this : <trust-manager name= "MyTrustManager" key-store= "MyTrustStore" > <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> </trust-manager> issue an openssl s_client -connect <host:port> Result is something like that => No client certificate CA names sent --- No client certificate CA names sent Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- If you comment CRL <!-- <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> --> Then everything is working fine

    Description

      When CRLs are configured there're no client certificate CA names sent for a tls 2 way connexion.

      Method setAcceptedIssuers of X509RevocationTrustManager builder is never called, so acceptedIssuers is always empty.

      Attachments

        Issue Links

          Activity

            People

              szaldana Sonia Zaldana (Inactive)
              dmaffrand David MAFFRAND (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: