Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11221

Elytron CRL do not reflect maximum-cert-path

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 7.1.0.DR19
    • Security

      Having set two way SSL Elytron server-ssl-context [1] but with trust-managers with certificate-revocation-list set [2] (and algorithm unset), a client is able to connect to the server even though the client certificate has too long certificate path.

      Debugging reveals that X509CRLExtendedTrustManager.checkClientTrusted do not throw CertificateException even though CRL entries from file are loaded and maximum-cert-path is set.

      The CRL functionality is required by EAP7-203, hence Critical priority is set.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSinWildFlyforApplications
      [2] https://docs.jboss.org/author/display/WFLY/SSL+Configuration+using+Elytron+Subsystem#SSLConfigurationusingElytronSubsystem-UsingaCertificateRevocationList

        1. standalone.xml
          30 kB
        2. pkix.zip
          9 kB

            psilva@redhat.com Pedro Igor Craveiro
            okotek@redhat.com Ondrej Kotek
            Ondrej Kotek Ondrej Kotek
            Ondrej Kotek Ondrej Kotek
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: