Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11221

Elytron CRL do not reflect maximum-cert-path

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • 7.1.0.DR19
    • Security

    Description

      Having set two way SSL Elytron server-ssl-context [1] but with trust-managers with certificate-revocation-list set [2] (and algorithm unset), a client is able to connect to the server even though the client certificate has too long certificate path.

      Debugging reveals that X509CRLExtendedTrustManager.checkClientTrusted do not throw CertificateException even though CRL entries from file are loaded and maximum-cert-path is set.

      The CRL functionality is required by EAP7-203, hence Critical priority is set.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSinWildFlyforApplications
      [2] https://docs.jboss.org/author/display/WFLY/SSL+Configuration+using+Elytron+Subsystem#SSLConfigurationusingElytronSubsystem-UsingaCertificateRevocationList

      Attachments

        1. pkix.zip
          9 kB
        2. standalone.xml
          30 kB

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11527 Elytron CRL, unable to load CRL on IBM JDK

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10970 Elytron two way SSL with CRL set does not work

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              okotek@redhat.com Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: