Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OF-2134: Add option to enable certificate revocation checks #2610

Merged
merged 6 commits into from
Nov 25, 2024

Conversation

viv
Copy link
Collaborator

@viv viv commented Nov 19, 2024

When enabled, certificates will be verified against Certificate Revocation Lists (CRL) and through Online Certificate Status Protocol (OCSP) to ensure they have not been revoked.

Additional settings are required to support OCSP, I plan to add these shortly.

@viv viv changed the title feat: Add option to enable certificate revocation checks OF-2134: Add option to enable certificate revocation checks Nov 19, 2024
@viv
Copy link
Collaborator Author

viv commented Nov 19, 2024

I am planning to add the documentation changes to this PR but won't get a chance to do that until tomorrow.

When enabled, certificates will be verified against Certificate Revocation Lists (CRL) and through Online Certificate Status Protocol (OCSP) to ensure they have not been revoked.
- Permit client-driven OCSP (has no effect unless revocation checking is also enabled) by adding property to java.security settings.
- Enable OCSP stapling by specifying jdk.tls.server.enableStatusRequestExtension=true Java system property.

With this default configuration:

- as a client: Openfire will behave in the same way as it did prior to this commit.
- as a server: Openfire will staple OCSP responses when presenting its certificate if the certificate is configured with an OCSP responder and Openfire receives a response from the listed responder, otherwise the certificate will be presented with no OCSP response (the default behaviour prior to this commit).

For further configuration options see: https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-527BAE97-3B78-4390-A479-623BD998C4EE
@viv viv force-pushed the OF-2134_cert-revocation-support branch from c073eec to 42de835 Compare November 20, 2024 14:10
@viv viv marked this pull request as ready for review November 20, 2024 14:10
@guusdk
Copy link
Member

guusdk commented Nov 21, 2024

We've discussed this in a video call, but I'd like to capture two points that may need additional attention:

  • If we configure Openfire to do revocation checking, but when Java is configured to not support (eg missing java security settings that enable OCSP), we should possibly inform the user that their system is not optimally configured (by having a warning on the admin console)
  • When 'mutual authentication' is used (SASL EXTERNAL, either in client-to-server or server-to-server), then the 'client' in provides a certificate to the server. This certificate should also be the subject of revocation checks.

Prior to this change, if the TLS handshake failed (e.g. if certificate validation did not succeed), an error stanza would be returned to the TLS client with the misleading message "An error occurred in XMPP Decoder".
… not

If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user.
@guusdk guusdk merged commit 930041a into igniterealtime:main Nov 25, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants