users@glassfish.java.net

Re: Certificate Revocation List (CRL) use in GlassFish v3

From: Kumar.Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Thu, 14 Oct 2010 20:45:33 +0530

  On 14/10/10 7:45 PM, glassfish_at_javadesktop.org wrote:
> Kumar,
>
> I was able to get everything working using your example http://weblogs.java.net/blog/2007/11/19/ssl-and-crl-checking-glassfish-v2#6
>
> Now I'm replacing the keystore.jks& cacerts.jks (both include only 1 cert), and the crl.pem files. Please note these are files that work using HTTP Apache server.
>
Just to be clear : with my example revocation works as expected, but
when you place your keystores and crl file it fails (i.e CRL checking
fails to detect a revoked cert).

regards,
kumar
>> When I present a revoked cert, the CrlRevocationChecker.verifyRevocationStatus CRL entry DOES find the rovoked cert, but the process still shows "-checker6 validation succeeded" and the requested page/data is returned.
> Here is the output from my server.log file ...
>
> SEVERE: certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 1
> SEVERE: certpath: CRLRevocationChecker.verifyPossibleCRLs: Checking CRLDPs for CN=User7 John John.User7, OU=TEST, O=xxxxxx, C=xx
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 1
> SEVERE: certpath: starting the final sweep...
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus cert SN: 4098350723398757786823434502144507443043719918241735943196832223568800273443972745730
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus CRL entry: SerialNumber: [ 021c11ff a5298740 2ff8fdd5 c09f5d2a 46621183 4ea8a316 031e0419 6f480202
> 026c8a02] On: Thu May 20 08:46:12 EDT 2010
> CRL Entry Extensions: 1
> [1]: ObjectId: 2.5.29.21 Criticality=false
> Reason Code: Remove from CRL
>
> SEVERE: certpath: -checker6 validation succeeded
> SEVERE: certpath: checking for unresolvedCritExts
> SEVERE: certpath:
> cert1 validation succeeded.
>
> SEVERE: certpath: Cert path validation succeeded. (PKIX validation algorithm)
> SEVERE: certpath: --------------------------------------------------------------
>
>
> What am I missing? Why does validation succeed? I have 8 certs for testing (5 good, 2 revoked, 1 expired) Same thing happens on the 2 revoked certs.
>
> Thanks for your time and help.
> Cheers, Eric.
> [Message sent by forum member 'eliscinsky']
>
> http://forums.java.net/jive/thread.jspa?messageID=485204
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>