You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using SSL client authentication, the ability to revoke and reject a client certificate is useful to ensure that a leaked certificate is no longer able to authenticate with the service without having to create a new CA and truststore.
In Ssl.java add a crlFile attribute as path to the CRL file
Jetty's SslContextFactory supports setting a crlPath
Undertow looks not so much to support it out of the box, however it does allow TrustManager configuration so the equivalent of org.apache.tomcat.util.net.jsse.JSSESocketFactory#getTrustManagers could be added in UndertowEmbeddedServletContainerFactory
The text was updated successfully, but these errors were encountered:
Looks like this only works for Spring Boot 1.x. Going to try to attempt this for Spring Boot 2. Would be awesome if Spring could help tweak this out of the box for Tomcat. Is the team open to that in the form of PRs?
The general approach will work in 2.0, but you need to use a WebServerCustomizer. A PR would be most welcome. Thank you. To be considered, we’d ideally want it to cover all four containers (Jetty, Netty, Tomcat, and Undertow). Some investigation of what’s possible with Netty and Undertow would be needed.
scottfrederick
changed the title
Support crlFile in SSL configuration
Support Certificate Revocation List in embedded web server SSL configuration
Mar 29, 2023
When using SSL client authentication, the ability to revoke and reject a client certificate is useful to ensure that a leaked certificate is no longer able to authenticate with the service without having to create a new CA and truststore.
In Ssl.java add a
crlFile
attribute as path to the CRL fileIn TomcatEmbeddedServletContainerFactory.java#configureSsl (or arguably in TomcatEmbeddedServletContainerFactory.java#configureSslClientAuth only if clientAuth is need or want since the crlFile is used to validate clients) call
protocol.setCrlFile
Jetty's SslContextFactory supports setting a crlPath
Undertow looks not so much to support it out of the box, however it does allow
TrustManager
configuration so the equivalent oforg.apache.tomcat.util.net.jsse.JSSESocketFactory#getTrustManagers
could be added inUndertowEmbeddedServletContainerFactory
The text was updated successfully, but these errors were encountered: