Skip to content

Commit

Permalink
Switch cert and peer validation to false by default
Browse files Browse the repository at this point in the history 
If any either of these two options are enabled, a HTTPs enabled Dropwizard
app will most likely fail to start with cryptic error messages. Since
Jetty has these options disabled by default, we should follow their lead
and disable these options as well.

Future work includes adding in additional certificate features as
Certificate Revocation List (CRL),  CRL Distribution Points Protocol
(CRLDP), On-Line Certificate Status Protocol (OCSP)
  • Loading branch information
@nickbabcock @arteam
nickbabcock authored and arteam committed Dec 12, 2016
1 parent b07ded6 commit 7be0112
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 27 deletions.
14 changes: 9 additions & 5 deletions docs/source/manual/configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -385,8 +385,8 @@ Extends the attributes that are available to the :ref:`HTTP connector <man-confi
maxCertPathLength: (unlimited)
ocspResponderUrl: (none)
jceProvider: (none)
validateCerts: true
validatePeers: true
validateCerts: false
validatePeers: false
supportedProtocols: [SSLv3]
excludedProtocols: (none)
supportedCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]
Expand Down Expand Up @@ -418,9 +418,13 @@ enableOCSP false Whether or not On-Line Cert
maxCertPathLength (unlimited) The maximum certification path length.
ocspResponderUrl (none) The location of the OCSP responder.
jceProvider (none) The name of the JCE provider to use for cryptographic support.
validateCerts true Whether or not to validate TLS certificates before starting. If enabled, Dropwizard
will refuse to start with expired or otherwise invalid certificates.
validatePeers true Whether or not to validate TLS peer certificates.
validateCerts false Whether or not to validate TLS certificates before starting. If enabled, Dropwizard
will refuse to start with expired or otherwise invalid certificates. This option will
cause unconditional failure in Dropwizard 1.x until a new validation mechanism can be
implemented.
validatePeers false Whether or not to validate TLS peer certificates. This option will
cause unconditional failure in Dropwizard 1.x until a new validation mechanism can be
implemented.
supportedProtocols (none) A list of protocols (e.g., ``SSLv3``, ``TLSv1``) which are supported. All
other protocols will be refused.
excludedProtocols (none) A list of protocols (e.g., ``SSLv3``, ``TLSv1``) which are excluded. These
Expand Down
10 changes: 0 additions & 10 deletions dropwizard-client/src/test/resources/yaml/ssl_connection_socket_factory_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,38 +4,28 @@ server:
port: 0
keyStoreType: PKCS12
keyStorePassword: password
validateCerts: false
validatePeers: false
trustStoreType: PKCS12
supportedProtocols: ["TLSv1.2"]
- type: https
port: 0
keyStoreType: PKCS12
keyStorePassword: password
validateCerts: false
validatePeers: false
trustStoreType: PKCS12
- type: https
port: 0
keyStoreType: PKCS12
keyStorePassword: password
validateCerts: false
validatePeers: false
supportedProtocols: ["TLSv1.2"]
- type: https
port: 0
keyStoreType: PKCS12
keyStorePassword: password
validateCerts: false
validatePeers: false
trustStoreType: PKCS12
supportedProtocols: ["TLSv1.2"]
- type: https
port: 0
keyStoreType: PKCS12
keyStorePassword: password
validateCerts: false
validatePeers: false
trustStoreType: PKCS12
supportedProtocols: ["TLSv1.2"]
adminConnectors:
Expand Down
6 changes: 0 additions & 6 deletions dropwizard-example/example.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,24 +34,18 @@ server:
port: 8443
keyStorePath: example.keystore
keyStorePassword: example
validateCerts: false
validatePeers: false
#this requires the alpn-boot library on the JVM's boot classpath
#- type: h2
# port: 8445
# keyStorePath: example.keystore
# keyStorePassword: example
# validateCerts: false
# validatePeers: false
adminConnectors:
- type: http
port: 8081
- type: https
port: 8444
keyStorePath: example.keystore
keyStorePassword: example
validateCerts: false
validatePeers: false

# Logging settings.
logging:
Expand Down
18 changes: 12 additions & 6 deletions dropwizard-jetty/src/main/java/io/dropwizard/jetty/HttpsConnectorFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,16 +152,22 @@
* </tr>
* <tr>
* <td>{@code validateCerts}</td>
* <td>true</td>
* <td>false</td>
* <td>
* Whether or not to validate TLS certificates before starting. If enabled, Dropwizard
* will refuse to start with expired or otherwise invalid certificates.
* will refuse to start with expired or otherwise invalid certificates. This option will
* cause unconditional failure in Dropwizard 1.x until a new validation mechanism can be
* implemented.
* </td>
* </tr>
* <tr>
* <td>{@code validatePeers}</td>
* <td>true</td>
* <td>Whether or not to validate TLS peer certificates.</td>
* <td>false</td>
* <td>
* Whether or not to validate TLS peer certificates. This option will
* cause unconditional failure in Dropwizard 1.x until a new validation mechanism can be
* implemented.
* </td>
* </tr>
* <tr>
* <td>{@code supportedProtocols}</td>
Expand Down Expand Up @@ -247,8 +253,8 @@ public class HttpsConnectorFactory extends HttpConnectorFactory {
private Integer maxCertPathLength;
private URI ocspResponderUrl;
private String jceProvider;
private boolean validateCerts = true;
private boolean validatePeers = true;
private boolean validateCerts = false;
private boolean validatePeers = false;
private List<String> supportedProtocols;
private List<String> excludedProtocols;
private List<String> supportedCipherSuites;
Expand Down

0 comments on commit 7be0112

Please sign in to comment.