339543 – Add configuration options for Certificate Revocation checking

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 339543 - Add configuration options for Certificate Revocation checking

Summary: Add configuration options for Certificate Revocation checking

Status:	RESOLVED FIXED

Alias:	None

Product:	Jetty
Classification:	RT
Component:	server (show other bugs)
Version:	7.3.0
Hardware:	PC Linux

Importance:	P3 normal (vote)
Target Milestone:	7.2.x
Assignee:	Michael Gorovoy
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-03-10 11:00 EST by Michael Gorovoy
Modified:	2011-03-11 21:02 EST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Gorovoy

2011-03-10 11:00:42 EST

Currently, when Jetty tries to validate an SSL certificate, it always attempts to turn on support for Certificate Revocation List Distribution Points (CRLDP) as well as On-Line Certificate Status Protocol (OCSP) X509 certificate extensions.

This enhancement allows more fine-grained control over what methods of certificate revocation checking are going to be used by both Jetty server in SSL connectors as well as Jetty client.

Comment 1 Michael Gorovoy

2011-03-10 11:02:10 EST

It is important to note that if no Certificate Revocation checking method is configured, or if neither CRLDP or OCSP extension information is present in the certificate being validated, and CRL file location has not been provided, the certificate validation will fail unconditionally.

Comment 2 Michael Gorovoy

2011-03-11 21:02:22 EST

Committed r2882.