ocsp

Does X509TrustManagerImpl.checkServerTrusted() handle OCSP by itself if the appropriate properties are set?

烂漫一生 提交于 2019-12-03 09:11:00
public class CustomTrustManager implements X509TrustManager { private X509TrustManager trustManager; // If a connection was previously attempted and failed the certificate check, that certificate chain will be saved here. private Certificate[] rejectedCertificates = null; private Certificate[] encounteredCertificates = null; private KeyStore keyStore = null; private Logger logger; /** * Constructor * * @param loggerFactory * see {@link InstanceLoggerFactory} */ public CustomTrustManager(InstanceLoggerFactory loggerFactory) { try { this.logger = loggerFactory.getLogger(CustomTrustManager.class)

OCSP check in Java secure sockets

≡放荡痞女 提交于 2019-12-02 03:44:51
If I set Security.setProperty("ocsp.enable", "true") , will an SSLSocket or SSLServerSocket connection automatically check for certificate revocation using OCSP? Do I have to do the OCSP check manually when creating the socket? (I'm not using CRLs.) You can use this TrustManager implementation I whipped up for some testing which is based on the OCSP checking code on XueLei.Fan's blog . I have used this with Netty based on the their HttpSnoopClient hitting https://www.mozilla.org/en-US/ and it works. import io.netty.handler.ssl.util.SimpleTrustManagerFactory; import io.netty.util.internal

OpenSSL certificate revocation check in client program using OCSP stapling

限于喜欢 提交于 2019-12-01 08:11:14
I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP. All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this). Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl) to check the subjectAltName against my server's domain and get the authorityInfoAccess (for OCSP URI). Assuming I

OpenSSL certificate revocation check in client program using OCSP stapling

不羁岁月 提交于 2019-11-30 18:06:25
问题 I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP. All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this). Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl) to check

CRL and OCSP behavior of iOS / Security.Framework?

一世执手 提交于 2019-11-29 07:48:40
问题 I'm trying to figure out what iOS' policy is when verifying certificates using Security.Framework regarding revocation of certificates. I cannot find information about this in the docs for iOS. In the context of an iPad project I'm working on at the moment, there is reason to demand checking revocation status for some certs. Anyone ideas on how to force CRL / OCSP checking during cert verification using Security.Framework? Or do I need to "fall back" to OpenSSL to accomplish this? It seems

OCSP Revocation on client certificate

独自空忆成欢 提交于 2019-11-28 20:35:00
问题 How do I manually check for certificate revocation status in java using OCSP, given just a client's java.security.cert.X509Certificate? I can't see a clear way to do it. Alternatively, can I make tomcat do it for me automatically, and how do you know your solution to be true? 回答1: I found a most excellent solution: http://www.docjar.com/html/api/sun/security/provider/certpath/OCSP.java.html /** 54 * This is a class that checks the revocation status of a certificate(s) using 55 * OCSP. It is