Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Certificate Revocation List in embedded web server SSL configuration #6171

Open
cfieber opened this issue Jun 15, 2016 · 4 comments
Open

Support Certificate Revocation List in embedded web server SSL configuration #6171

cfieber opened this issue Jun 15, 2016 · 4 comments
Labels
theme: ssl Issues related to ssl support type: enhancement A general enhancement
Milestone
General Backlog

Comments

@cfieber
Copy link

cfieber commented Jun 15, 2016
edited by philwebb

When using SSL client authentication, the ability to revoke and reject a client certificate is useful to ensure that a leaked certificate is no longer able to authenticate with the service without having to create a new CA and truststore.

In Ssl.java add a crlFile attribute as path to the CRL file

In TomcatEmbeddedServletContainerFactory.java#configureSsl (or arguably in TomcatEmbeddedServletContainerFactory.java#configureSslClientAuth only if clientAuth is need or want since the crlFile is used to validate clients) call protocol.setCrlFile

Jetty's SslContextFactory supports setting a crlPath

Undertow looks not so much to support it out of the box, however it does allow TrustManager configuration so the equivalent of org.apache.tomcat.util.net.jsse.JSSESocketFactory#getTrustManagers could be added in UndertowEmbeddedServletContainerFactory
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 15, 2016
@philwebb philwebb added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 21, 2016
@cfieber cfieber mentioned this issue Jun 25, 2016
Merged
@bvulaj
Copy link

bvulaj commented Jan 23, 2018

Is there currently any workaround for this using embedded Tomcat?

@snicoll snicoll changed the title Enhancement: Support crlFile in SSL configuration Support crlFile in SSL configuration Jan 24, 2018
@wilkinsona
Copy link
Member

@bvulaj Yes. You can use a connector customiser to access the connector's protocol and configure its crl file. Something like this:

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return (container) -> {
        if (container instanceof TomcatEmbeddedServletContainerFactory) {
            ((TomcatEmbeddedServletContainerFactory) container)
                    .addConnectorCustomizers((connector) -> {
                ((AbstractHttp11Protocol<?>) connector.getProtocolHandler())
                        .setCrlFile("…");
            });
        }
    };
}

@bobtiernay-okta
Copy link

Looks like this only works for Spring Boot 1.x. Going to try to attempt this for Spring Boot 2. Would be awesome if Spring could help tweak this out of the box for Tomcat. Is the team open to that in the form of PRs?

Cheers!

@wilkinsona
Copy link
Member

The general approach will work in 2.0, but you need to use a WebServerCustomizer. A PR would be most welcome. Thank you. To be considered, we’d ideally want it to cover all four containers (Jetty, Netty, Tomcat, and Undertow). Some investigation of what’s possible with Netty and Undertow would be needed.

@philwebb philwebb added this to the General Backlog milestone Dec 14, 2018
@mbhave mbhave added the theme: ssl Issues related to ssl support label Jul 31, 2019
@scottfrederick scottfrederick changed the title Support crlFile in SSL configuration Support Certificate Revocation List in embedded web server SSL configuration Mar 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme: ssl Issues related to ssl support type: enhancement A general enhancement
Projects
None yet
Milestone
General Backlog
Development

No branches or pull requests
7 participants
@cfieber @philwebb @bvulaj @wilkinsona @mbhave @spring-projects-issues @bobtiernay-okta