« Return to Thread: X509 Authentication + revoked certificates
Re: X509 Authentication + revoked certificates
by Arnaud Lesueur-4
::
Rate this Message:
Pavlos,
Did you tried to turn CRL check on the Security Provider ?
If your client certificate does have CRLDP extensions with a Sun JVM
with Sun Security Provider you should be able to it (not tested yet
sorry).
In order to do so, you have to set those system properties :
com.sun.net.ssl.checkRevocation=true
com.sun.security.enableCRLDP=true
You might have more debug log using : java.security.debug=certpath
You might also be capable to do it using an OCSP responder on a Sun JRE 6:
http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html
Regards,
Arnaud Lesueur
On Wed, May 21, 2008 at 4:45 PM, Romain BOURGUE
<romain.bourgue@...> wrote:
> With cas-server-support-x509, a certificate is indeed treated as valid :
> 1- if it matches a trusted issuer dn (subjectDnPattern)...
> 2- ...within a specified range of intermediate CAs (maxPathLength),
> 3- if it's not expired (and already valid),
> 4- if its key usage validate a optionally specified one.
>
> but it doesn't check any CertificateRevocationList (CRL) (yet?).
>
> If you want this check, the easiest way is to rely on mod_ssl installed on a
> apache frontal webserver. The SSLCARevocationPath directive allows you specify a
> list of CRLs the certificate will be checked against.
>
> You can also develop your own authentication handler....
>
>
> Romain
>
> Pavlos Drandakis a écrit :
>> Hello all,
>>
>> From what I understand, a certificate is treated as valid if current
>> time (when checking) is between certificate's creation and expiration
>> time. So if a revoked certificate has not expired yet, is considered
>> valid and access is granted, when using X509 authentication. Is there
>> any way to prevent users from logging into CAS when presenting revoked
>> certificates?
>>
>> Thanks,
>>
>> Pavlos
>>
>> (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support)
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cas-dev mailing list
>> cas-dev@...
>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> _______________________________________________
> cas-dev mailing list
> cas-dev@...
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
--
Arnaud Lesueur
LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
Did you tried to turn CRL check on the Security Provider ?
If your client certificate does have CRLDP extensions with a Sun JVM
with Sun Security Provider you should be able to it (not tested yet
sorry).
In order to do so, you have to set those system properties :
com.sun.net.ssl.checkRevocation=true
com.sun.security.enableCRLDP=true
You might have more debug log using : java.security.debug=certpath
You might also be capable to do it using an OCSP responder on a Sun JRE 6:
http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html
Regards,
Arnaud Lesueur
On Wed, May 21, 2008 at 4:45 PM, Romain BOURGUE
<romain.bourgue@...> wrote:
> With cas-server-support-x509, a certificate is indeed treated as valid :
> 1- if it matches a trusted issuer dn (subjectDnPattern)...
> 2- ...within a specified range of intermediate CAs (maxPathLength),
> 3- if it's not expired (and already valid),
> 4- if its key usage validate a optionally specified one.
>
> but it doesn't check any CertificateRevocationList (CRL) (yet?).
>
> If you want this check, the easiest way is to rely on mod_ssl installed on a
> apache frontal webserver. The SSLCARevocationPath directive allows you specify a
> list of CRLs the certificate will be checked against.
>
> You can also develop your own authentication handler....
>
>
> Romain
>
> Pavlos Drandakis a écrit :
>> Hello all,
>>
>> From what I understand, a certificate is treated as valid if current
>> time (when checking) is between certificate's creation and expiration
>> time. So if a revoked certificate has not expired yet, is considered
>> valid and access is granted, when using X509 authentication. Is there
>> any way to prevent users from logging into CAS when presenting revoked
>> certificates?
>>
>> Thanks,
>>
>> Pavlos
>>
>> (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support)
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cas-dev mailing list
>> cas-dev@...
>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> _______________________________________________
> cas-dev mailing list
> cas-dev@...
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
--
Arnaud Lesueur
LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
« Return to Thread: X509 Authentication + revoked certificates
| Free Forum Powered by Nabble | Forum Help |