Related questions

OCSP/CRL support on JBoss 5 AS

2018-05-10 10:48 korayguney imported from Stackoverflow

Has "JBoss 5 AS" support for OCSP or CRL validations on incoming certificates during TLS?

I saw an attribute on server.xml file of JBoss named "ca-certificate-file" which ensures to get the revocation list from a file or URL. But it gets static values, so how can I use this attribute dynamically?

See also questions close to this topic

  • Apache2 can't use SSL after upgrade (Solved)

    After a global upgrade (apt-get upgrade) Apache2 won't work with SSL anymore.

    Ubuntu 16

    Apache version : 2.4.37

    OpenSSL version : OpenSSL 1.1.1-pre7 (beta) 29 May 2018

    LD_LIBRARY_PATH=/usr/local/lib

    When I try to start the service I get the following error :

    Dec 12 18:43:59 labo apachectl[1677]: apache2: Syntax error on line 146 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/ssl.load: Cannot load /usr/lib/apache2/modules/mod_ssl.so into server: /usr/lib/apache2/modules/mod_ssl.so: symbol SSL_CTX_set_post_handshake_auth, version OPENSSL_1_1_1 not defined in file libssl.so.1.1 with link time reference

    If I disable ssl from apache2 I can successfully start the service.

    I tried to reinstall apache2 & openssl, it doesn't get any better.

    Google can't help.

    Any idea ?

    Found the problem :

    The OpenSSL version I was using was the wrong one. I compiled OpenSSL1.1.1-pre7 several months ago to fit some security requirements. Apparently the upgrade didn't update OpenSSL to the good version (OpenSSL 1.1.1 11 Sep 2018).

    the following steps made the correction :

    ~# sudo a2dismod ssl
~# sudo apt-get purge openssl
~/openssl-1.1.1-pre7# make uninstall //Uninstall the version I build
~# sudo apt-get install openssl
~# sudo a2enmod ssl
  • Create ssl certificate for java website running on Tomcat server

    I have recently signed up on Cloudflare.com for ssl connection. But I don’t have any idea how to install ssl certificate on my java website running on Tomcat server. So can anyone please show me step by step how to activate ssl on my java website.

  • How can I confirm a handshake was completed with SSL Sockets in Java?

    Here's some pseudocode

    Client:
    boolean sent = false;
    byte[] message = new String("test").getBytes();

    send()
    {
        sent = sslSocket.sendMessage(message);

        if (sent)
            sslSocket.close();
    }

    I'm writing tests that should be fairly quick. Once the Client successfully sends a message, it should close immediately. In my tests, the Client returns sent == true, so the socket closes. However, the Server is throwing a received close_notify during handshake exception. This exception does not happen when I use Thread.sleep(200) right before closing the Client.

    Our sockets are our own abstractions and wrappers for Java's sockets. From this post, I have to assume that the Server has not completed the handshake, but the Client has? Why else would sent return true? I can't confirm that the message actually HAS been received by the Server, however, because the exception is thrown immediately. I only have Client sent boolean to rely on.

    So my question is how can I confirm the handshake was completed?

    Thank you for the help, and sorry for any ambiguity! I can clear any confusions!

  • Certificate Revocation List check Failed in IE - Is there a fix in server side?

    There is a security alert for my website in Internet Explorer- "Revocation Information for the security certificate for the site is not available...". There are no such errors in Chrome or Firefox. On doing a bit of research, I was able to find out that Chrome/Firefox are using OCSP for checking if the certificate is revoked or not. Also, there is a alternative OCSP stapling that I could configure in my web server.

    My Questions are,

    1. Why Internet explorer is failing the Certificate Revocation Status check process while the other browsers are succeeding?
    2. Is there a fix that we could do in the server to fix this problem in server side for Internet explorer without OCSP feature ?
    3. Is this a real vulnerability?

    Thanks, Haleem.

  • Check for TLS certificate revocation in open jdk

    Check for TLS certificate revocation using CRL and OCSP are enabled by default in open jdk?

  • OCSP Verifier to check a given certificate

    I´m trying to implement an OCSP verifier to check if a given Certificate is still valid or already revoked. I have the following code

    public class ValidateCertUseOCSP {

/*
 * Filename that contains the root CA cert of the OCSP server's cert.
 */
private static final String ROOT_CA_CERT = "C:\\Users\\Computer\\Desktop\\DigiCertSHA2SecureServerCA_cert_out.pem";

/*
 * Filename that contains the OCSP server's cert.
 */
private static final String OCSP_SERVER_CERT = "C:\\Users\\Computer\\Desktop\\gearbest_cert_out.pem";



/**
 * Checks the revocation status of a public key certificate using OCSP.
 *
 * Usage:  java ValidateCert <cert-file> [<OCSP-server>]
 *     <cert-file> is the filename of the certificate to be checked.
 *            The certificate must be in PEM format.
 *     <OCSP-server> is the URL of the OCSP server to use.
 *            If not supplied then the certificate must identify an OCSP
 *            server by means of its AuthorityInfoAccess extension.
 *            If supplied then it overrides any URL which may be present
 *            in the certificate's AuthorityInfoAccess extension.
 *
 * Example:  java \
 *             -Dhttp.proxyHost=proxy.example.net \
 *             -Dhttp.proxyPort=8080 \
 *             ValidateCert \
 *             mycert.pem \
 *             http://ocsp.openvalidation.org:80
 * @param args
 */
public static void main(String[] args) {

try {
    CertPath cp = null;
    Vector<X509Certificate> certs = new Vector<X509Certificate>();
    URI ocspServer = null;



    if (args.length == 0 || args.length > 2) {
    System.out.println(
        "Usage: java ValidateCert <cert-file> [<OCSP-server>]");
    System.exit(-1);
    }

        // load the cert to be checked
    certs.add(getCertFromFile(args[0]));


    // handle location of OCSP server
    if (args.length == 2) {
    ocspServer = new URI(args[1]);
        System.out.println("Using the OCSP server at: " + args[1]);
        System.out.println("to check the revocation status of: " +
        certs.elementAt(0));
        System.out.println();
    } else {
        System.out.println("Using the OCSP server specified in the " +
        "cert to check the revocation status of: " +
        certs.elementAt(0));
        System.out.println();
    }

    // init cert path
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    cp = (CertPath)cf.generateCertPath(certs);

    // load the root CA cert for the OCSP server cert
    X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT);

    // init trusted certs
    TrustAnchor ta = new TrustAnchor(rootCACert, null);
    Set trustedCertsSet = new HashSet();
    trustedCertsSet.add(ta);

    // init cert store
    Set certSet = new HashSet();
    X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT);
    certSet.add(ocspCert);
    CertStoreParameters storeParams =
    new CollectionCertStoreParameters(certSet);
    CertStore store = CertStore.getInstance("Collection", storeParams);

    // init PKIX parameters
        PKIXParameters params = null;
    params = new PKIXParameters(trustedCertsSet);
    params.addCertStore(store);

    // enable OCSP
    Security.setProperty("ocsp.enable", "true");
    if (ocspServer != null) {
    Security.setProperty("ocsp.responderURL", args[1]);
    Security.setProperty("ocsp.responderCertSubjectName",
        ocspCert.getSubjectX500Principal().getName());
    }

    // perform validation
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    PKIXCertPathValidatorResult cpv_result  =
    (PKIXCertPathValidatorResult) cpv.validate(cp, params);
    X509Certificate trustedCert = (X509Certificate)
    cpv_result.getTrustAnchor().getTrustedCert();

    if (trustedCert == null) {
    System.out.println("Trsuted Cert = NULL");
    } else {
    System.out.println("Trusted CA DN = " +
        trustedCert.getSubjectDN());
    }

} catch (CertPathValidatorException e) {
    e.printStackTrace();
    System.exit(1);

} catch(Exception e) {
    e.printStackTrace();
    System.exit(-1);
}
System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
System.exit(0);
}

/*
 * Read a certificate from the specified filepath.
 */
private static X509Certificate getCertFromFile(String path) {
    X509Certificate cert = null;
    try {

        File certFile = new File(path);
        if (!certFile.canRead())
            throw new IOException(" File " + certFile.toString() +
        " is unreadable");

        FileInputStream fis = new FileInputStream(path);
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        cert = (X509Certificate)cf.generateCertificate(fis);

    } catch(Exception e) {
    System.out.println("Can't construct X509 Certificate. " +
    e.getMessage());
}
    return cert;
}

    }

    and when I run it it gives me the first error message:

    run:

    Usage: java ValidateCert <cert-file> [<OCSP-server>]
C:\Users\Computer\AppData\Local\NetBeans\Cache\8.2\executor-snippets\run.xml:53:
Java returned: -1 
BUILD FAILED (total time: 1 second)