users@glassfish.java.net

Re: Certificate Revocation List (CRL) use in GlassFish v3

From: <glassfish_at_javadesktop.org>
Date: Thu, 14 Oct 2010 07:15:04 PDT

Kumar,

I was able to get everything working using your example http://weblogs.java.net/blog/2007/11/19/ssl-and-crl-checking-glassfish-v2#6

Now I'm replacing the keystore.jks & cacerts.jks (both include only 1 cert), and the crl.pem files. Please note these are files that work using HTTP Apache server.

> When I present a revoked cert, the CrlRevocationChecker.verifyRevocationStatus CRL entry DOES find the rovoked cert, but the process still shows "-checker6 validation succeeded" and the requested page/data is returned.

Here is the output from my server.log file ...

SEVERE: certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 1
SEVERE: certpath: CRLRevocationChecker.verifyPossibleCRLs: Checking CRLDPs for CN=User7 John John.User7, OU=TEST, O=xxxxxx, C=xx
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 1
SEVERE: certpath: starting the final sweep...
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus cert SN: 4098350723398757786823434502144507443043719918241735943196832223568800273443972745730
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus CRL entry: SerialNumber: [ 021c11ff a5298740 2ff8fdd5 c09f5d2a 46621183 4ea8a316 031e0419 6f480202
    026c8a02] On: Thu May 20 08:46:12 EDT 2010
    CRL Entry Extensions: 1
    [1]: ObjectId: 2.5.29.21 Criticality=false
    Reason Code: Remove from CRL

SEVERE: certpath: -checker6 validation succeeded
SEVERE: certpath: checking for unresolvedCritExts
SEVERE: certpath:
cert1 validation succeeded.

SEVERE: certpath: Cert path validation succeeded. (PKIX validation algorithm)
SEVERE: certpath: --------------------------------------------------------------


What am I missing? Why does validation succeed? I have 8 certs for testing (5 good, 2 revoked, 1 expired) Same thing happens on the 2 revoked certs.

Thanks for your time and help.
Cheers, Eric.
[Message sent by forum member 'eliscinsky']

http://forums.java.net/jive/thread.jspa?messageID=485204
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.