From a2e3af55e3e500c413ae763fdbe3a860a9129dee Mon Sep 17 00:00:00 2001
From: Matthew Vivian <matthew.vivian@surevine.com>
Date: Fri, 22 Nov 2024 11:18:01 +0000
Subject: [PATCH] feat: Add notice when revocation is enabled but client-driven
 OCSP is not

If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user.
---
 i18n/src/main/resources/openfire_i18n.properties |  1 +
 .../openfire/spi/ConnectionConfiguration.java    | 16 ++++++++++++++++
 .../main/webapp/connection-settings-advanced.jsp |  6 ++++++
 3 files changed, 23 insertions(+)

diff --git a/i18n/src/main/resources/openfire_i18n.properties b/i18n/src/main/resources/openfire_i18n.properties
index 19834d609c..8ba35a229c 100644
--- a/i18n/src/main/resources/openfire_i18n.properties
+++ b/i18n/src/main/resources/openfire_i18n.properties
@@ -1635,6 +1635,7 @@ connection.advanced.settings.clientauth.label_disabled=<b>Disabled</b> - Peer ce
 connection.advanced.settings.clientauth.label_wanted=<b>Wanted</b> - Peer certificates are verified, but only when they are presented by the peer.
 connection.advanced.settings.clientauth.label_needed=<b>Needed</b> - A connection cannot be established if the peer does not present a valid certificate.
 connection.advanced.settings.clientauth.label_strict_cert_validation=If attempting to validate a certificate fails, the connection is closed and not attempted via dialback authentication.
+connection.advanced.settings.certchain.ocsp.warning=Your server is configured with the Java security property <code>ocsp.enable=false</code> which disables client-driven OCSP certificate revocation checking. While OCSP stapling validation and CRL checking remain active, Openfire will not perform direct OCSP requests to verify certificate status.
 connection.advanced.settings.certchain.boxtitle=Certificate chain checking
 connection.advanced.settings.certchain.info=These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.
 connection.advanced.settings.certchain.label_selfsigned=Allow peer certificates to be self-signed.
diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java b/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java
index 9984b1a69a..24bcf49272 100644
--- a/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java
+++ b/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java
@@ -20,6 +20,7 @@
 import org.jivesoftware.openfire.keystore.*;
 
 import java.net.InetAddress;
+import java.security.Security;
 import java.util.*;
 
 /**
@@ -50,6 +51,7 @@ public class ConnectionConfiguration
     private final Connection.CompressionPolicy compressionPolicy;
 
     // derived
+    private final boolean isOcspEnabled;
     private final IdentityStore identityStore;
     private final TrustStore trustStore;
 
@@ -100,6 +102,7 @@ public ConnectionConfiguration( ConnectionType type, boolean enabled, int maxThr
         this.compressionPolicy = compressionPolicy;
         this.strictCertificateValidation = strictCertificateValidation;
 
+        this.isOcspEnabled = Boolean.parseBoolean(Security.getProperty("ocsp.enable"));
         final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
         this.identityStore = certificateStoreManager.getIdentityStore( type );
         this.trustStore = certificateStoreManager.getTrustStore( type );
@@ -229,6 +232,19 @@ public TrustStore getTrustStore()
         return trustStore;
     }
 
+    /**
+     * Indicates if client-driven Online Certificate Status Protocol (OCSP) is enabled.
+     *
+     * This is a prerequisite to enable client-driven OCSP, it has no effect unless revocation
+     * checking is also enabled.
+     *
+     * @return true if client-driven OCSP is enabled, otherwise false.
+     */
+    public boolean isOcspEnabled()
+    {
+        return isOcspEnabled;
+    }
+
     public boolean isEnabled()
     {
         return enabled;
diff --git a/xmppserver/src/main/webapp/connection-settings-advanced.jsp b/xmppserver/src/main/webapp/connection-settings-advanced.jsp
index 3b396ea5b3..1641d49d1e 100644
--- a/xmppserver/src/main/webapp/connection-settings-advanced.jsp
+++ b/xmppserver/src/main/webapp/connection-settings-advanced.jsp
@@ -310,6 +310,12 @@
     </admin:infoBox>
 </c:if>
 
+<c:if test="${configuration.verifyCertificateRevocation && !configuration.ocspEnabled}">
+    <admin:infobox type="info">
+        <fmt:message key="connection.advanced.settings.certchain.ocsp.warning" />
+    </admin:infobox>
+</c:if>
+
 <!-- Introduction at the top of the page -->
 <p>
     <fmt:message key="connection.advanced.settings.info">