-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCSP responder to serve status check for itself using latest CRL #4504
Commits on Jul 20, 2023
-
Modify init order for OCSP subsystem
The init order for OCSP is modified to allow CRL retrieval before creating connection with DS or other services. Secure`connections will be verified against the CRL. Solve RHCS-4262
Configuration menu - View commit details
-
Copy full SHA for b9a9eb0 - Browse repository at this point
Copy the full SHA b9a9eb0View commit details
Commits on Jul 27, 2023
-
Add callback for CRL validation at application level
Add new field in CMS for a callback validation of certificate instantiated by PKISocketFactory. This is useful for OCSP where the OCSP protocol cannot be enabled and the verification is done on CRLs. Solve RHCS-4262
Configuration menu - View commit details
-
Copy full SHA for 57df77e - Browse repository at this point
Copy the full SHA 57df77eView commit details
Commits on Jul 28, 2023
-
Make crl check for connection optional
Add a new parameter to enable the crl check for OCSP connection when acting as client. The new parameter is `ocsp.store.ldapStore.checkSubsystemConnection` and its default value is `false`. When set to `true` connection certificate are verified using the crl stored in the LDAP.
Configuration menu - View commit details
-
Copy full SHA for e6a1e0c - Browse repository at this point
Copy the full SHA e6a1e0cView commit details
Commits on Jul 31, 2023
-
Add crl check for OCSP acting as server
When OCSP is acting as server certificate can be verified using CRL internally stored. To verify the certificates the `LDAPStore` has to be enabled with the variable `ocsp.store.ldapStore.checkSubsystemConnection` and the variable `auths.revocationChecking.enabled` both set to true. Solve RHCS-4262
Configuration menu - View commit details
-
Copy full SHA for 7ad255e - Browse repository at this point
Copy the full SHA 7ad255eView commit details
Commits on Aug 1, 2023
-
Move callback reference from CMS to CMSEngine
Socket callback moved to CMSEngine to avoid dependencies on global variables.
Configuration menu - View commit details
-
Copy full SHA for d54adc9 - Browse repository at this point
Copy the full SHA d54adc9View commit details
Commits on Aug 3, 2023
-
OCSP default CRL check and CA cert validation
The parameter `ocsp.store.ldapStore.checkSubsystemConnection` default value has been modified to `true` so when LDAPStore is used certificates are verified against the CRL. Additionally, during the certificate verification the certificate signer is verified with the CA certificate providing the CRL to be sure it is the real issuer.
Configuration menu - View commit details
-
Copy full SHA for 1615339 - Browse repository at this point
Copy the full SHA 1615339View commit details
Commits on Aug 4, 2023
-
Rename checkSubsystemConnection to validateConnCertWithCRL
The option `ocsp.store.ldapStore.validateConnCertWithCRL` enables the revocation verification of peer certificates using the CRL stored in the LDAP shared with the CA. When it is set to `true` (default value), the peer certificate of all the outcome connections from the OCSP subsystem are verified with the CRL. If the option `auths.revocationChecking.enabled` is also set to `true` the peer certificate ot all the income connections to the OCSP subsystem are verified with the CRL.
Configuration menu - View commit details
-
Copy full SHA for 2b31525 - Browse repository at this point
Copy the full SHA 2b31525View commit details -
Use AKI/SKI to match peer certificate with CA CRL
Identification of CRL issuing point done by matching Authority Key Identifier with Subject Key Identifier instead of DN matching. This should make more reliable the check because not affected of encoding or format changes in the DN.
Configuration menu - View commit details
-
Copy full SHA for 4366f72 - Browse repository at this point
Copy the full SHA 4366f72View commit details -
Configuration menu - View commit details
-
Copy full SHA for 584cc11 - Browse repository at this point
Copy the full SHA 584cc11View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3513512 - Browse repository at this point
Copy the full SHA 3513512View commit details
Commits on Aug 8, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 47f268c - Browse repository at this point
Copy the full SHA 47f268cView commit details