Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2057

No acceptedIssuers is sent when CRLs are configured

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.14.1.Final, 2.0.0.Alpha10
    • None
    • SSL
    • None
    • Hide

      Configure a trust-amanger like this :

       <trust-manager name="MyTrustManager" key-store="MyTrustStore" >
 <certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> 
 </trust-manager>

      issue an openssl s_client -connect <host:port>

      Result is something like that => No client certificate CA names sent

      ---
No client certificate CA names sent
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---

      If you comment CRL

       <!-- 
<certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" />  
-->

      Then everything is working fine

      Show
      Configure a trust-amanger like this : <trust-manager name= "MyTrustManager" key-store= "MyTrustStore" > <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> </trust-manager> issue an openssl s_client -connect <host:port> Result is something like that => No client certificate CA names sent --- No client certificate CA names sent Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- If you comment CRL <!-- <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> --> Then everything is working fine
    • Undefined

      When CRLs are configured there're no client certificate CA names sent for a tls 2 way connexion.

      Method setAcceptedIssuers of X509RevocationTrustManager builder is never called, so acceptedIssuers is always empty.

              rh-ee-szaldana Sonia Zaldana Calles
              rh-ee-szaldana Sonia Zaldana Calles
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: