Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11221

Elytron CRL do not reflect maximum-cert-path

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 7.1.0.DR19
    • Security

      Having set two way SSL Elytron server-ssl-context [1] but with trust-managers with certificate-revocation-list set [2] (and algorithm unset), a client is able to connect to the server even though the client certificate has too long certificate path.

      Debugging reveals that X509CRLExtendedTrustManager.checkClientTrusted do not throw CertificateException even though CRL entries from file are loaded and maximum-cert-path is set.

      The CRL functionality is required by EAP7-203, hence Critical priority is set.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSinWildFlyforApplications
      [2] https://docs.jboss.org/author/display/WFLY/SSL+Configuration+using+Elytron+Subsystem#SSLConfigurationusingElytronSubsystem-UsingaCertificateRevocationList

        1. standalone.xml
          30 kB
          Ondrej Kotek

              psilva@redhat.com Pedro Igor Craveiro
              okotek@redhat.com Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: