Hi Frank ,
Is there a way we can get the server side certificate and issue certificate from the TLS connection or session object in the application where we use snmp4J.
Also if possible please let us know if the sample program where the OCSP validation is tried using snmp4j .
I cannot answer your first question, please check the Java documentation.
Second: Have a look at the SNMP4J TLSTMTestWithCertRevocationChecking unit test.
We tried the the same unit test (TLSTMTestWithCertRevocationChecking ) by providing ocsp.responderURL both in certificate as well as setting the system property .
The test case failed as the connection establishment happens successfully
and validation is assertFalse
As written before, the OSCP validation is done by completely on behalf of the Java runtime. I will not write test cases or debug various Java runtimes.
I assume that you can confirm that the Java runtime is doing OSCP when configured, right?
Hi Vikas,
There is more needed in code than setting properties. I will post the code here soon when I have looked it up from the SNMP4J sources…
But what is necessary is documented by the Java security API, thus I am bit astonished that you did not apply it.
Best regards
Frank
To activate OCSP, you need to create your own PKIXRevocationChecker class because the following default disables OCSP:
/**
* Creates a default revocation checker with CRL check only (no OCSP) and check is limited to end entity only.
* @return
* a simple revocation checker to be used with {@link #setPKIXRevocationChecker(PKIXRevocationChecker)}.
* @since 3.6.0
*/
public static PKIXRevocationChecker createDefaultPKIXRevocationChecker() {
CertPathBuilder cpb;
try {
cpb = CertPathBuilder.getInstance(TrustManagerFactory.getDefaultAlgorithm());
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker)cpb.getRevocationChecker();
// Relaxed checking - avoid OCSP because of 33% overhead on TLS connection creation:
revocationChecker.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
PKIXRevocationChecker.Option.ONLY_END_ENTITY,
PKIXRevocationChecker.Option.NO_FALLBACK)); // do not fall back to OCSP
return revocationChecker;
}
I even tried the piece of code which you had which would be same as the change in TLSTMUtil but still connection establishment happens without revocation check .
Ok, then I cannot help any further. I saw the OSCP revocation checking code called in the JRE. What then happens within the JRE is outside of my responsibility.
Are you really sure a http connection to the OSCP server would be acceptable for the JRE?
The issue was that the truststore contained the full certificate chain, due to which it was not invoking the OCSP revocation check.
It works fine by setting only the below 2 properties. when the truststore has only the CA in it .
System.setProperty(com.sun.net.ssl.checkRevocation, true);
Security.setProperty(ocsp.enable, true)