Hi Frank ,
Is there a way we can get the server side certificate and issue certificate from the TLS connection or session object in the application where we use snmp4J.
Also if possible please let us know if the sample program where the OCSP validation is tried using snmp4j .
Regards,
Vikas
Hi Vikas,
I cannot answer your first question, please check the Java documentation.
Second: Have a look at the SNMP4J TLSTMTestWithCertRevocationChecking unit test.
Best regards,
Frank
Hi Frank ,
With the unit tests which you shared looks like it might work for certificate revocation lists (CRL) .
We are looking for OCSP method where the certificate contains the OCSP URL
or by setting the URL as security property Security.setProperty(“ocsp.responderURL”,“http://127.0.0.1:8080”);
In TLSTMTestWithCertRevocationChecking unit test we don’t see the OCSP url being used neither in the code nor in the certificates .
Can you please confirm if OCSP support is available in snmp4j and the specific tests are available and are executed successfully.
Hi Frank ,
We tried the the same unit test (TLSTMTestWithCertRevocationChecking ) by providing ocsp.responderURL both in certificate as well as setting the system property .
The test case failed as the connection establishment happens successfully
and validation is assertFalse
Regards,
Vikas
As written before, the OSCP validation is done by completely on behalf of the Java runtime. I will not write test cases or debug various Java runtimes.
I assume that you can confirm that the Java runtime is doing OSCP when configured, right?
Best reference
Frank
Have you activated/allowed OSCP in your Paramus handler code? By default it is not active!
Hi Frank ,
I had enabled OCSP in security properties file , but it had not worked even when it was set in code
Regards
Vikas
Hi Vikas,
There is more needed in code than setting properties. I will post the code here soon when I have looked it up from the SNMP4J sources…
But what is necessary is documented by the Java security API, thus I am bit astonished that you did not apply it.
Best regards
Frank
The following unit test uses the default parameter initialisation which disables OCSP:
public void sendMessageWithRevokedServerCertificateWithCustomRevocationChecker() throws Exception {
tlstmCR.setX09CertificateRevocationListURI(null);
tlstmCS.setX09CertificateRevocationListURI(null);
PKIXRevocationChecker certPathChecker = TLSTMUtil.createDefaultPKIXRevocationChecker();
certPathChecker.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.ONLY_END_ENTITY));
certPathChecker.setOcspResponses(Collections.emptyMap());
tlstmCR.setPKIXRevocationChecker(certPathChecker);
tlstmCS.setPKIXRevocationChecker(certPathChecker);
To activate OCSP, you need to create your own PKIXRevocationChecker class because the following default disables OCSP:
/**
* Creates a default revocation checker with CRL check only (no OCSP) and check is limited to end entity only.
* @return
* a simple revocation checker to be used with {@link #setPKIXRevocationChecker(PKIXRevocationChecker)}.
* @since 3.6.0
*/
public static PKIXRevocationChecker createDefaultPKIXRevocationChecker() {
CertPathBuilder cpb;
try {
cpb = CertPathBuilder.getInstance(TrustManagerFactory.getDefaultAlgorithm());
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker)cpb.getRevocationChecker();
// Relaxed checking - avoid OCSP because of 33% overhead on TLS connection creation:
revocationChecker.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
PKIXRevocationChecker.Option.ONLY_END_ENTITY,
PKIXRevocationChecker.Option.NO_FALLBACK)); // do not fall back to OCSP
return revocationChecker;
}
The following could work for example (untested):
public static PKIXRevocationChecker createOcspPKIXRevocationChecker() {
CertPathBuilder cpb;
try {
cpb = CertPathBuilder.getInstance(TrustManagerFactory.getDefaultAlgorithm());
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker)cpb.getRevocationChecker();
revocationChecker.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.ONLY_END_ENTITY));
return revocationChecker;
}Hi Frank ,
Sorry, I had forgot to mention that change . I had directly made the change in TLSTMUtil.java
I even tried the piece of code which you had which would be same as the change in TLSTMUtil but still connection establishment happens without revocation check .
Regards,
Vikas
Ok, then I cannot help any further. I saw the OSCP revocation checking code called in the JRE. What then happens within the JRE is outside of my responsibility.
Are you really sure a http connection to the OSCP server would be acceptable for the JRE?
Hi Frank,
The issue was that the truststore contained the full certificate chain, due to which it was not invoking the OCSP revocation check.
It works fine by setting only the below 2 properties. when the truststore has only the CA in it .
System.setProperty(com.sun.net.ssl.checkRevocation, true);
Security.setProperty(ocsp.enable, true)
Thank you for the support .
Regards ,
Vikas
