Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Won't Fix
-
None
-
None
-
Operating System: All
Platform: Other
-
35932
Description
From what I see, this is not yet supported: am I connecting to a correct https
server with a non-revoked key/certificate?
It would be great if the http-client did such revocation checking as per the
CDPs/OCSPs that might be listed in its certificate(-path).
While at least some basic CRL support is available since JDK1.4, OCSP only
appears to have been added in 1.5 (and unfortunately it looks like this is
mainly done on a global basis and thus not necessarily always thread-safe -
http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html).
Promising complementary open source building blocks appear to be available in
http://www.bouncycastle.org/devmailarchive/msg03437.html and
http://www.bouncycastle.org/devmailarchive/msg03459.html, ...
I guess one approach might be to extend Oleg's nice AuthSSLProtocolSocketFactory
to make sure that revoked server certificates that pass the PKIX cert-path
validation, etc. are blocked according to the CDPs/OCSPs/Netscape Revocation
URLs(Thawte).
Too bad we missed the Google Summer of Code
(http://wiki.apache.org/general/SummerOfCode2005) with this 
Similar RFE for SOAP is http://issues.apache.org/jira/browse/AXIS-2154
Attachments
Issue Links
- is depended upon by
-
-
- Closed
-