-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OF-2134: Add option to enable certificate revocation checks #2610
Merged
guusdk
merged 6 commits into
igniterealtime:main
from
surevine:OF-2134_cert-revocation-support
Nov 25, 2024
Merged
OF-2134: Add option to enable certificate revocation checks #2610
guusdk
merged 6 commits into
igniterealtime:main
from
surevine:OF-2134_cert-revocation-support
Nov 25, 2024
+322
−26
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
viv
changed the title
feat: Add option to enable certificate revocation checks
OF-2134: Add option to enable certificate revocation checks
Nov 19, 2024
I am planning to add the documentation changes to this PR but won't get a chance to do that until tomorrow. |
guusdk
reviewed
Nov 19, 2024
When enabled, certificates will be verified against Certificate Revocation Lists (CRL) and through Online Certificate Status Protocol (OCSP) to ensure they have not been revoked.
- Permit client-driven OCSP (has no effect unless revocation checking is also enabled) by adding property to java.security settings. - Enable OCSP stapling by specifying jdk.tls.server.enableStatusRequestExtension=true Java system property. With this default configuration: - as a client: Openfire will behave in the same way as it did prior to this commit. - as a server: Openfire will staple OCSP responses when presenting its certificate if the certificate is configured with an OCSP responder and Openfire receives a response from the listed responder, otherwise the certificate will be presented with no OCSP response (the default behaviour prior to this commit). For further configuration options see: https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-527BAE97-3B78-4390-A479-623BD998C4EE
viv
force-pushed
the
OF-2134_cert-revocation-support
branch
from
November 20, 2024 14:10
c073eec
to
42de835
Compare
We've discussed this in a video call, but I'd like to capture two points that may need additional attention:
|
Prior to this change, if the TLS handshake failed (e.g. if certificate validation did not succeed), an error stanza would be returned to the TLS client with the misleading message "An error occurred in XMPP Decoder".
… not If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user.
guusdk
reviewed
Nov 25, 2024
xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyXMPPDecoder.java
Show resolved
Hide resolved
guusdk
approved these changes
Nov 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When enabled, certificates will be verified against Certificate Revocation Lists (CRL) and through Online Certificate Status Protocol (OCSP) to ensure they have not been revoked.
Additional settings are required to support OCSP, I plan to add these shortly.