[Bug 60716] New: SSL certificate CRLDP section is ignored, when NIO connection is used

Thu, 09 Feb 2017 03:51:47 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=60716

            Bug ID: 60716
           Summary: SSL certificate CRLDP section is ignored, when NIO
                    connection is used
           Product: Tomcat 8
           Version: 8.5.11
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

Environment:
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)

Java started with following additional parameters:
-Dcom.sun.net.ssl.checkRevocation=true -Dcom.sun.security.enableCRLDP=true

Connector configuration:
<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11Nio2Protocol"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true">
    <SSLHostConfig certificateVerification="optional"
                   protocols="TLSv1.2"
                   truststoreFile="${catalina.home}/conf/.truststore"
                   truststorePassword="password">
        <Certificate certificateKeystoreFile="${catalina.base}/conf/.keystore"
                     certificateKeystorePassword="password"
                     certificateKeyAlias="tomcat"
                     certificateKeyPassword="password" />
    </SSLHostConfig>
</Connector>

How to reproduce:
1. Root CA is imported into truststore. Client has valid certificate signed by
the root CA, this certificate has CRLDistributionPoint section. Client has
access to the application using https protocol.
2. Then client's certificate is revoked. Wait until certificate revocation list
is updated, check that CRL contains client's certificate serial number. 
3. User has access to the application! 
4. Check communication using tcpdump, no connections to CRLDP host. 
5. Try jvm paramter -Djava.security.debug=certpath -- no CRL checks.

This problem can't be reproduced in tomcat 8.0.x and 7.x. I think the problem
is in the org.apache.tomcat.util.net.jsse.JSSEUtil#getParameters method. If
SSLHostConfig doesn't contain certificateRevocationListFile parameter, then
xparams.setRevocationEnabled(false) invoked
(http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?diff_format=h&revision=1780997&view=markup#l341).
 
So without crlFile, jvm parameter -Dcom.sun.net.ssl.checkRevocation is ignored.
But if crlFile is set, then certificate's CRLDP section is ignored. 
Anyway, crlFile is read only once and all updates are ignored, thus it can't be
used as workaround.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to