Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 339543

Summary: Add configuration options for Certificate Revocation checking
Product: [RT] Jetty Reporter: Michael Gorovoy <mgorovoy>
Component: serverAssignee: Michael Gorovoy <mgorovoy>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: jetty-inbox
Version: 7.3.0   
Target Milestone: 7.2.x   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Michael Gorovoy CLA 2011-03-10 11:00:42 EST 
Currently, when Jetty tries to validate an SSL certificate, it always attempts to turn on support for Certificate Revocation List Distribution Points (CRLDP) as well as On-Line Certificate Status Protocol (OCSP) X509 certificate extensions.

This enhancement allows more fine-grained control over what methods of certificate revocation checking are going to be used by both Jetty server in SSL connectors as well as Jetty client.
Comment 1 Michael Gorovoy CLA 2011-03-10 11:02:10 EST 
It is important to note that if no Certificate Revocation checking method is configured, or if neither CRLDP or OCSP extension information is present in the certificate being validated, and CRL file location has not been provided, the certificate validation will fail unconditionally.
Comment 2 Michael Gorovoy CLA 2011-03-11 21:02:22 EST 
Committed r2882.