Related questions

OCSP/CRL support on JBoss 5 AS

2018-05-10 10:48 korayguney imported from Stackoverflow

Has "JBoss 5 AS" support for OCSP or CRL validations on incoming certificates during TLS?

I saw an attribute on server.xml file of JBoss named "ca-certificate-file" which ensures to get the revocation list from a file or URL. But it gets static values, so how can I use this attribute dynamically?

See also questions close to this topic

  • How can UIWebView visit js/css resources for a html through a self-signed SSL certificate

    I'm using CocoaHTTPServer starting a local server for providing off-line js/css/image resources for web pages. I use a self-signed SSL certificate to make my local server supporting HTTPS.

    In WKWebview, the web view load online html page and fetch my off-line resources through href such as "https:localhost:60000/path/file" perfectly.

    But in UIWebView, the web view cannot load the page. The console panel prints lots of NSURLConnection error & SSL error such as:

    "TIC SSL Trust Error [21:0x600003c2aa00]: 3:0",
    "NSURLConnection finished with error - code -1202"

    I have read this question and followed the answer to make UIWebView load page successfully. But the console panel still prints lots of error, and using that answer, each page may be load three times and I found that some API I want be called from H5 can be only called on the first load.

    - (BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType {
    JSContext *context = [self.webView valueForKeyPath:@"documentView.webView.mainFrame.javaScriptContext"];
    YJJavaScriptBridgeObject *object = [[YJJavaScriptBridgeObject alloc] init];
    object.delegate = self;
    // H5 use this obj to call native methods to get off-line resource status. 
    context[@"obj"] = object;
    self.context = context;
    NSLog(@"%@", context);

    if (!self.authenticated) {
        self.urlConnection = [NSURLConnection connectionWithRequest:request delegate:self];
        [self.urlConnection start];
        self.request = request;
    }

    return YES;
}

    - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
    return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}

- (BOOL)connectionShouldUseCredentialStorage:(NSURLConnection *)connection {
    return YES;
}

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    if ([challenge previousFailureCount] == 0) {
        self.authenticated = YES;
        NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
        [challenge.sender useCredential:credential forAuthenticationChallenge:challenge];
    } else {
        [challenge.sender cancelAuthenticationChallenge:challenge];
    }
    [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
}

- (void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response {
    self.authenticated = YES;
    [self.webView loadRequest:self.request];
    [self.urlConnection cancel];
    self.urlConnection = nil;
    self.request = nil;
}

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    if (challenge.previousFailureCount == 0) {
        NSURLCredential*credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
        [challenge.sender useCredential:credential forAuthenticationChallenge:challenge];
    } else {
        [challenge.sender cancelAuthenticationChallenge:challenge];
    }
}

    So I hope there is a way to make UIWebView visit self-signed SSL resource just like WKWebView did. Do any one faced the same problem and has a way to solve this? Or do I have a better way to make my local server support HTTPS?

  • Enabling TLS in Elasticsearch

    I'm having problems enabling TLS in Elasticsearch 7.1.1 running on Windows 7.

    I have a single node with certificates created as

    elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12

    The elasticsearch.yml file has the following settings

    node.name: node1
discovery.type:  single-node
xpack.security.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'
xpack.security.transport.ssl.truststore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'

    This works fine but when I add the below

    xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'
xpack.security.http.ssl.truststore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'

    and start up elasticsearch I see the following error

    [2019-06-25T07:34:19,659][WARN ][o.e.h.AbstractHttpServerTransport] [node1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/127.0.0.1:6757} io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

    This is repeated every 10-15 seconds.

    https is enabled though and I can access the node using https://localhost:9200

    I don't know why I receive the above error though as nothing else is running and accessing elasticsearch.

    Any help would be much appreciated.

    Thanks heaps

  • Error deploying to AWS EB: SSL CERTIFICATE_VERIFY_FAILED

    I am unable to deploy any Django app to AWS EB

    I am following this tutorial (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create-deploy-python-django.html), installed certifi package

    import certifi
certifi.where()

    '/Users/mitchellmurphy/Library/Python/3.7/lib/python/site-packages/certifi/cacert.pem'

    eb deploy throws the following error: ERROR: URLError [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)>

    eb open should pull up a blank Django starter app, instead I get a "Internal Server Error"

    Also adding the --no-verify-ssl flag to all my eb commands...

  • Configure tomcat to use Java 9 native OCSP stapling and OCSP check

    How can I configure Apache Tomcat to use OCSP stapling and certificate revocation check using OCSP implementation available in Java 9?

    Is running tomcat 9 on Java 9 with following property is enough?

    // Enable OCSP Stapling (off by default)
System.setProperty(“jdk.tls.server.enableStatusRequestExtension”, “true”);

    I have tried above but doesn't seem to be working

  • Does X590Certificate.Build use OCSP if ChainPolicy RevocationMode Online is used?

    If you have code like the following: is OCSP used for the 'online' revocation check?

    X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
ch.Build (certificate);

    The API documentation is not explicit about this, saying:

    "A revocation check is made using an online certificate revocation list (CRL)."

    but not giving any details of how the check is made

    The X509Chain.Buld methods checks if the property szOID_AUTHORITY_INFO_ACCESS has a value - I know this is where OCSP URLs are stored so again this would suggest that OCSP is being used

    Build then calls BuildChain and there is a call is made to CertGeCertificateChain, passing a revocation flags unsigned int.

    The documentation for GetCertificateChain gives the possible flags that can be passed in, including CERT_CHAIN_REVOCATION_CHECK_OCSP_CERT:

    "This flag is used internally during chain building for an online certificate status protocol (OCSP) signer certificate to prevent cyclic revocation checks. During chain building, if the OCSP response is signed by an independent OCSP signer, then, in addition to the original chain build, there is a second chain built for the OCSP signer certificate itself. This flag is used during this second chain build to inhibit a recursive independent OCSP signer certificate. If the signer certificate contains the szOID_PKIX_OCSP_NOCHECK extension, revocation checking is skipped for the leaf signer certificate. Both OCSP and CRL checking are allowed."

    Since a flag exists to 'inhibit' OCSP checking, I am thinking that it does happen - but again it would be nice to get an explicit confirmation of this

  • How to create ocsp request using openssl in c++?

    I am trying to send a ocsp request to an ocsp server using C++, but I can't find anything to prepare the request. In the documentation I found the following functions 

    long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);

    How can I add the certificate and set the nonce for the request?