Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2057

No acceptedIssuers is sent when CRLs are configured

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 1.14.1.Final, 2.0.0.Alpha10
    • None
    • SSL
    • None
    • Hide

      Configure a trust-amanger like this :

       <trust-manager name="MyTrustManager" key-store="MyTrustStore" >
 <certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> 
 </trust-manager>

      issue an openssl s_client -connect <host:port>

      Result is something like that => No client certificate CA names sent

      ---
No client certificate CA names sent
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---

      If you comment CRL

       <!-- 
<certificate-revocation-list path="/opt/jboss/wildfly/standalone/configuration/my_crl.pem" />  
-->

      Then everything is working fine

      Show
      Configure a trust-amanger like this : <trust-manager name= "MyTrustManager" key-store= "MyTrustStore" > <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> </trust-manager> issue an openssl s_client -connect <host:port> Result is something like that => No client certificate CA names sent --- No client certificate CA names sent Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- If you comment CRL <!-- <certificate-revocation-list path= "/opt/jboss/wildfly/standalone/configuration/my_crl.pem" /> --> Then everything is working fine
    • Undefined

    Description

      When CRLs are configured there're no client certificate CA names sent for a tls 2 way connexion.

      Method setAcceptedIssuers of X509RevocationTrustManager builder is never called, so acceptedIssuers is always empty.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-5226 No acceptedIssuers is sent when CRLs are configured

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. ELY-2058 Accepted Issuers should not be manually configured in X509RevocationTrustManager

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              szaldana Sonia Zaldana (Inactive)
              szaldana Sonia Zaldana (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: