feat: Add notice when revocation is enabled but client-driven OCSP is…

… not

If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user.

i18n/src/main/resources/openfire_i18n.properties

@@ -1635,6 +1635,7 @@ connection.advanced.settings.clientauth.label_disabled=<b>Disabled</b> - Peer ce
 connection.advanced.settings.clientauth.label_wanted=<b>Wanted</b> - Peer certificates are verified, but only when they are presented by the peer.
 connection.advanced.settings.clientauth.label_needed=<b>Needed</b> - A connection cannot be established if the peer does not present a valid certificate.
 connection.advanced.settings.clientauth.label_strict_cert_validation=If attempting to validate a certificate fails, the connection is closed and not attempted via dialback authentication.
+connection.advanced.settings.certchain.ocsp.warning=Your server is configured with the Java security property <code>ocsp.enable=false</code> which disables client-driven OCSP certificate revocation checking. While OCSP stapling validation and CRL checking remain active, Openfire will not perform direct OCSP requests to verify certificate status.
 connection.advanced.settings.certchain.boxtitle=Certificate chain checking
 connection.advanced.settings.certchain.info=These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.
 connection.advanced.settings.certchain.label_selfsigned=Allow peer certificates to be self-signed.

xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java

@@ -20,6 +20,7 @@
 import org.jivesoftware.openfire.keystore.*;
 
 import java.net.InetAddress;
+import java.security.Security;
 import java.util.*;
 
 /**
@@ -50,6 +51,7 @@ public class ConnectionConfiguration
     private final Connection.CompressionPolicy compressionPolicy;
 
     // derived
+    private final boolean isOcspEnabled;
     private final IdentityStore identityStore;
     private final TrustStore trustStore;
 
@@ -100,6 +102,7 @@ public ConnectionConfiguration( ConnectionType type, boolean enabled, int maxThr
         this.compressionPolicy = compressionPolicy;
         this.strictCertificateValidation = strictCertificateValidation;
 
+        this.isOcspEnabled = Boolean.parseBoolean(Security.getProperty("ocsp.enable"));
         final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
         this.identityStore = certificateStoreManager.getIdentityStore( type );
         this.trustStore = certificateStoreManager.getTrustStore( type );
@@ -229,6 +232,19 @@ public TrustStore getTrustStore()
         return trustStore;
     }
 
+    /**
+     * Indicates if client-driven Online Certificate Status Protocol (OCSP) is enabled.
+     *
+     * This is a prerequisite to enable client-driven OCSP, it has no effect unless revocation
+     * checking is also enabled.
+     *
+     * @return true if client-driven OCSP is enabled, otherwise false.
+     */
+    public boolean isOcspEnabled()
+    {
+        return isOcspEnabled;
+    }
+
     public boolean isEnabled()
     {
         return enabled;

xmppserver/src/main/webapp/connection-settings-advanced.jsp

@@ -310,6 +310,12 @@
     </admin:infoBox>
 </c:if>
 
+<c:if test="${configuration.verifyCertificateRevocation && !configuration.ocspEnabled}">
+    <admin:infobox type="info">
+        <fmt:message key="connection.advanced.settings.certchain.ocsp.warning" />
+    </admin:infobox>
+</c:if>
+
 <!-- Introduction at the top of the page -->
 <p>
     <fmt:message key="connection.advanced.settings.info">