NeilMadden/apisecurityinaction

TLS configuration should enable revocation checking

NeilMadden opened this issue · 1 comments

NeilMadden commented

The secure TLS client configuration given in Chapter 7, listing 7.2, doesn't enable certificate revocation checking, and this is off by default in Java. The example should show how to turn it on, as per (the Java docs)[https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-4E3834C7-E741-499E-9646-3557670FD88A]. This can be accomplished either globally by setting the system property:

com.sun.net.ssl.checkRevocation=true

and then configuring ocsp.enable=true to enable OCSP in java.security (or via Security.setProperty). Alternatively, you can configure revocation checking for a particular HttpClient instance using code like the following when initializing the TrustManagerFactory:

            var tmf = TrustManagerFactory.getInstance("PKIX");
            var pkixParams = new java.security.cert.PKIXBuilderParameters(trustedCerts, null);
            pkixParams.setRevocationEnabled(true);
            var tmParams = new javax.net.ssl.CertPathTrustManagerParameters(pkixParams);
            tmf.init(tmParams);
            var sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(), null);
NeilMadden commented

I've updated the code in the repository to turn on revocation checking by default using the following code:

            // Enable revocation checking (not in the book).
            var pkixParams = new PKIXBuilderParameters(trustedCerts, null);
            // You can either set pkixParams.setRevocationEnabled(true) to use
            // the default revocation mechanisms configured in java.security.
            // Here, we explicitly configure a revocation checker to ensure OCSP
            // is turned on (it's off by default). If your CA doesn't support
            // revocation checking and you can't fix that (!), then you should
            // instead call pkixParams.setRevocationChecking(false) and
            // comment out the following code that adds the revocation checker.
            var revocationChecker =
                    (PKIXRevocationChecker) CertPathValidator.getInstance("PKIX")
                            .getRevocationChecker();
            // You can configure default OCSP responder URI and other options
            // using setters on the revocationChecker if required.
            pkixParams.addCertPathChecker(revocationChecker);
            var tmParams = new CertPathTrustManagerParameters(pkixParams);
            tmf.init(tmParams);

In any future edition of the book I'll add a section explaining revocation checking in more detail.