Closed NeilMadden closed 3 years ago
I've updated the code in the repository to turn on revocation checking by default using the following code:
// Enable revocation checking (not in the book).
var pkixParams = new PKIXBuilderParameters(trustedCerts, null);
// You can either set pkixParams.setRevocationEnabled(true) to use
// the default revocation mechanisms configured in java.security.
// Here, we explicitly configure a revocation checker to ensure OCSP
// is turned on (it's off by default). If your CA doesn't support
// revocation checking and you can't fix that (!), then you should
// instead call pkixParams.setRevocationChecking(false) and
// comment out the following code that adds the revocation checker.
var revocationChecker =
(PKIXRevocationChecker) CertPathValidator.getInstance("PKIX")
.getRevocationChecker();
// You can configure default OCSP responder URI and other options
// using setters on the revocationChecker if required.
pkixParams.addCertPathChecker(revocationChecker);
var tmParams = new CertPathTrustManagerParameters(pkixParams);
tmf.init(tmParams);
In any future edition of the book I'll add a section explaining revocation checking in more detail.
The secure TLS client configuration given in Chapter 7, listing 7.2, doesn't enable certificate revocation checking, and this is off by default in Java. The example should show how to turn it on, as per (the Java docs)[https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-4E3834C7-E741-499E-9646-3557670FD88A]. This can be accomplished either globally by setting the system property:
and then configuring
ocsp.enable=true
to enable OCSP in java.security (or viaSecurity.setProperty
). Alternatively, you can configure revocation checking for a particularHttpClient
instance using code like the following when initializing theTrustManagerFactory
: