-
1. Re: JBoss CRL Configuration
kpcowell Aug 30, 2011 4:09 AM (in response to kpcowell)Is it fair to assume, judging by the silence, that this not supported? Any idea who I could contact within the JBoss area who could confirm this?
Any help much appreciated.
-
2. Re: JBoss CRL Configuration
adamkal Dec 13, 2011 2:46 PM (in response to kpcowell)I've been investigating this and found the following attribute in the Web subsystem schema:
<xs:attribute name="ca-revocation-url">
<xs:annotation>
<xs:documentation>
A file or URL to get the revocation list. (actually: crlFile is JSSE and SSLCARevocationFile in OpenSSL)
</xs:documentation>
</xs:annotation>
</xs:attribute>
This attribute is likely the attribute mislabeled as "ca-certificate-file" here:
http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html
However, best I can tell, JBoss is completely ignoring this file, even after a restart. I tried both crlFile and SSLCARevocationFile as well, but neither exist within the Web subsystem schema. Could anyone confirm if this functionality is actually implemented?
-
3. Re: JBoss CRL Configuration
kpcowell Dec 14, 2011 2:51 AM (in response to adamkal)Adam,
Thanks for the reply. At least it is something I can take a look at. If I manage to get it working I will reply with how I did it.
Many thanks,
Kevin
-
4. Re: JBoss CRL Configuration
adamkal Dec 14, 2011 11:37 AM (in response to kpcowell)I went ahead and downloaded the latest sources and searched for every reference to the ca-revocation-url attribute. As far as I can tell, the attribute is correctly parsed and stored, but never referenced. Hopefully, I'm just missing something and there's a way to get this working without delving into the JBoss source.
Edit:
Ok, there was something I missed: in WebConnectorService.java, the CA_REVOCATION_URL is used with OpenSSL but ignored with JSSE. This appears to be a bug, since the documentation suggests otherwise.
-
5. Re: JBoss CRL Configuration
adamkal Dec 14, 2011 2:37 PM (in response to kpcowell)1 of 1 people found this helpfulOK, as I mentioned, CA_REVOCATION_URL is ignored when using JSSE (the default). I added the following code to WebConnectorService.java, line 231:
if (ssl.hasDefined(Constants.CA_REVOCATION_URL)) {
Method m = connector.getProtocolHandler().getClass().getMethod("setAttribute", String.class, Object.class);
m.invoke(connector.getProtocolHandler(), "crlFile", ssl.get(Constants.CA_REVOCATION_URL).asString());
}
After adding this code and recompiling the latest JBoss snapshot, the CA_REVOCATION_URL was correctly used to point to my CRL.
-
6. Re: JBoss CRL Configuration
kpcowell Dec 15, 2011 3:26 AM (in response to adamkal)Adam,
Thank you very much for your help. I will try this in the new year.
Merry Christmas.
Kevin
-
7. Re: JBoss CRL Configuration
jaikiran Dec 16, 2011 3:57 AM (in response to adamkal)Thanks for looking into this and proposing the fix. I have issued a pull request with your proposed fix https://github.com/jbossas/jboss-as/pull/927 so that this gets committed upstream.
By the way, if you do fix issues like these then feel free to provide them as patches to the AS7 upstream. Here's how you can do that http://community.jboss.org/wiki/HackingonAS7
-
8. Re: JBoss CRL Configuration
adamkal Dec 16, 2011 9:32 AM (in response to jaikiran)Thanks. I actually just set up a git client yesterday and was planning on proposing the fix when I got a chance, but this saves me the trouble.