Related questions

OCSP/CRL support on JBoss 5 AS

2018-05-10 10:48 korayguney imported from Stackoverflow

Has "JBoss 5 AS" support for OCSP or CRL validations on incoming certificates during TLS?

I saw an attribute on server.xml file of JBoss named "ca-certificate-file" which ensures to get the revocation list from a file or URL. But it gets static values, so how can I use this attribute dynamically?

See also questions close to this topic

  • curl command works but C program fails NSS: client certificate not found (nickname not specified)

    there are a number of similar posts but I am trying to understand a little more than what those offer. My curl commandline works fine and am able to talk to the server and get the data I want. The command looks like 

    curl -v --tlsv1.2 --cert ./service_cert.pem  --key ./service_private.key  "https://myserver"

    But when I try to run my C program and examine the http client object I see this 

    errorBuffer = "NSS: client certificate not found (nickname not specified)

    reading further I realized I have libcurl built with NSS which doesn't support reading cert from a flat file ( .pem)

    How is then command line curl utility able to read the pem file ?

  • How to set up email https tracking links with php and apache?

    I have a saas that sends out emails in the name of my customers and I am trying to set up https for the email tracking links (I'm using php and apache), but I have yet to come up with a practical solution. I know how to generate tracking links and do the redirects to the original urls after logging the link clicks, I just don't know how to implement https on those tracking links.

    One possible solution could be, to do what a lot of email services providers do for tracking links: I would ask of every customer to create a CNAME record pointing from their domain to my domain (tracking.mycustomersdomain.com -> tracking.mysaasdomain.com). I could then use a php library to dynamically generate a letsencrypt certificate for their subdomain (tracking.mycustomersdomain.com) and would also be able to verify the subdomain for the certificate because the certificate would reside on my own server. The problem is, I'd still need to enable the certificate in the apache vhosts file and restart the apache service, so my server could start encrypting the tracking links with the appropriate certificate (but from what I've been able to research so far, this can't be done neither directly from php nor from .htaccess files, plus, frequent restarts would likely disrupt the operations on a live site).

    So this brings me right to my two-part question...

    1. Can I programatically enable a just-generated certificate for a given customer domain without (manually) restarting apache?

    2. Is there a better / best practice alternative to what I've described above to secure the tracking links in the emails I send out?

  • How to fix 'unsecured response' from PHP SOAP server over SSL

    WCF client initiate secure connection to SOAP server through WSDL. Log show that WS-security autorisation was fine, and SOAP server correctly respond, but client drops connection because response was unsecure. Since I don't have access to client environment I need help to fix that issue on server side. What additional headers should I add to response?

    Server have certificate, client have a key.

    <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken">
  <wsp:ExactlyOne>
   <wsp:All>
    <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
     <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
     <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
    </wsp:Policy>
   </sp:SupportingTokens>
  </wsp:All>
 </wsp:ExactlyOne>
</wsp:Policy>

    Request header:

    <?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2019-02-14T18:30:07.568Z</u:Created>
                <u:Expires>2019-02-14T18:35:07.568Z</u:Expires>
            </u:Timestamp>
                <o:UsernameToken u:Id="xxx" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <o:Username>user</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">xxx</o:Password>
                <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">xxx</o:Nonce>
                <u:Created>2019-02-14T18:30:07.568Z</u:Created>
            </o:UsernameToken>
        </o:Security>
    </s:Header>
    <s:Body>
        <isSystemListening xmlns="urn:xxx"/>
    </s:Body>
</s:Envelope>

    Response header:

    <?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PasswordDigest" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary" xmlns:ns5="urn:xxx">
    <SOAP-ENV:Header>
        <ns1:Security SOAP-ENV:mustUnderstand="1" SOAP-ENV:actor="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ns1:Timestamp>
            <Created>2019-02-14T18:30:07Z</Created>
            <Expires>2019-02-14T18:35:07Z</Expires>
        </ns1:Timestamp>
            <ns2:UsernameToken>
                <ns2:Username xsi:type="ns1:string">user</ns2:Username>
                <ns1:Password xsi:type="ns3:string">xxx</ns1:Password>
                <ns1:Nonce xsi:type="ns4:string">xxx</ns1:Nonce>
                <ns2:Created xsi:type="ns1:string">2019-02-14T18:30:07.568Z</ns2:Created>
            </ns2:UsernameToken>
        </ns1:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <ns5:isSystemListeningResponse>
            <isUp>true</isUp>
        </ns5:isSystemListeningResponse>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

    Whatever client get error

    Communications error occurred: Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.

  • Is it ok to return certificate status without OCSP(Online Certificate Status Protocol)


    I created the certificate authority server using Node.js and some cryptographic library supporting RSA sign, verification and generating X.509. When I added the certificate revocation feature with Online Certificate Status Protocol(OCSP), I thought of why I have to send a request and receive a response with OCSP because only what I want to know is not OCSP Request/Response object but just certificate status(Good or revoked.)

    Does it make sense requesting not OCSP response object(.PEM or something else) but the certificate status value like HTTP status code(200: OK, 400: NOT FOUND)?

  • Java SSL OCSP checks fail to validate the entire chain of trust with Certificate does not specify OCSP responder

    I have a Java application that recently moved to SSL and it has a problem when performing checks on all certificates in the chain of trust, but works fine when I set it to check the server certification only.

    Checks are performed using OCSP only (cannot do CRL here).

    So, if I'm setting in Java Control Panel the 'Perform TLS certification checks on' - 'All certificates in the chain of trust' , java application is saying that certification is untrusted with the following error message: 

    com.sun.deploy.security.RevocationChecker$StatusUnknownException: 
Certificate does not specify OCSP responder

    In the same time, if I change to 'Perform TLS certification checks on' - 'Server certificate only' everything works fine, hence the certificate is valid.

    My certificate has this chain: rootCA - intermediateCA - server

    I checked the Authority Information Access value for all the 3 certificates and it looks that the root one does't have one set and implicitly it doesn't have an OCSP url where to check the validity, however I checked other certificates and looks like most of the rootCA doesn't have it.

    Any idea what can be the problem or how I can continue to debug it?

    Thanks!

  • Certificate Revocation check failing in Windows Server 2016

    Command

    certuil.exe -verify

    fails with the error - 'Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)' in Windows server 2016. The error is not seen in 2012 \ 2008.

    Any help would be appreciated.