1

I'm writing a webapp which requires incoming connections to use client certificates for security. I've set it up to only accept secure connections, and to use clientAuth=true.

I've been trying to check that it rejects certificates which have been revoked, but it doesn't seem to be checking the CRL. This is the first time I've really tried using CRLs so it's possible/likely I've done something wrong...

Test setup:

  1. created test CA in openssl which has been added to the truststore for the server
  2. created CRL for CA, and added config settings to openssl to include a crl distribution point in client certificates (using Howto create a certificate using openssl including a CRL distribution point?)
  3. created two client certificates using CA
  4. revoked one of the client certs, updated crl and placed it in address specified as distribution point (have since checked the contents of this CRL and it does list ID of cert as revoked)

After setting this up, I've tried making connections to the application using both certificates, however it lets both connect successfully, even though one of them is revoked?

Is there a setting I've missed in Tomcat that makes it check the CRL distribution point when it receives a client certificate? I would have thought that would be default behaviour.

I've found various references to settings which allow you to embed a crl location into the Connector in tomcat - that isn't what I'm looking for. This system will eventually be configured to accept certificates from a number of different CAs.

Community
  • 1
  • 1
user unknown
  • 421
  • 1
  • 5
  • 14

1 Answers1

3

Assuming you're using the Oracle/OpenJDK JRE, if you scroll down at the bottom of the Certification Path API guide (Appendix B), you'll find CRLDP can be enabled with the com.sun.security.enableCRLDP system property:

Support for the CRL Distribution Points extension is available. It is disabled by default for compatibility and can be enabled by setting the system property com.sun.security.enableCRLDP to the value true.

You may also be interested in the following section, about OCSP.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Hmm... I'm not sure if I am or not (still relatively new to Java, mostly a C# person). The only checking I have inside the application itself is restricted to extracting the X509Certificate using `request.getAttribute("javax.servlet.request.X509Certificate")` and then doing various checks of the subject. I thought that all the checking of certificates being in date, having valid CAs etc. was done by the web server (I'm used to IIS). I've tried enabling that setting using: `java -Dcom.sun.security.enableCRLDP=true` but it doesn't seem to accept this command. – user unknown Oct 09 '12 at 13:31
  • 1
    Yes, the client cert trust management is done by the Tomcat connector. I'm assuming you're using the JSSE connector, not the APR connector (otherwise these would be OpenSSL configuration options). OTH, you should be able to set `-Dcom.sun.security.enableCRLDP=true` with the Java options somewhere like `catalina.sh`. – Bruno Oct 09 '12 at 13:52
  • Using `System.getProperty("com.sun.security.enableCRLDP")` shows the value as null, so it looks like I may be using something which doesn't have this feature.... – user unknown Oct 09 '12 at 14:43
  • The properties are global for this running instance of the JVM. Often, they're only read once. What you need is to set it, not get it. In addition, this should be set up in the script launching the JVM (probably `catalina.sh`). – Bruno Oct 09 '12 at 14:53
  • Yes, I had tried setting it in the registry - I was getting it to check if it was being set. Shouldn't it come back as true or false though, and not null? – user unknown Oct 09 '12 at 15:00
  • I've tried using the method involving `PKIXParameters.setRevocationEnabled(true)` and am now getting a `java.security.cert.CertPathValidatorException: revocation status check failed: no CRL found` for both certificates which is progress at least... :) – user unknown Oct 09 '12 at 15:19
  • You shouldn't have to deal with any of the `PKIXParameters` or any trustmanager at all, just enable that system property in your Tomcat launcher (Windows or Linux?) – Bruno Oct 09 '12 at 15:27
  • Currently Eclipse on Windows, will eventually be Linux. I've added `-Dcom.sun.security.enableCRLDP=true` to the VM arguments in the Tomcat launch configuration in Eclipse. I've also added it to the startup parameters for the proper installed version using the registry edit method here (http://stackoverflow.com/questions/5162279/configure-tomcat-to-use-a-trust-store-other-than-cacerts) EDIT: getting the value of the property now returns true. But it still lets both certificates through. Given the error message when using the PKIXParameters method, I think I may have other problems... – user unknown Oct 09 '12 at 15:46
  • Ok, Tomcat still doesn't seem to want to automatically validate the CRL, but using the enableCRLDP setting in conjunction with the PKIXParameters produces the desired results. Thanks for help! – user unknown Oct 10 '12 at 15:54