Support Certificate Revocation List in embedded web server SSL configuration

spring-projects / spring-boot

Spring Boot helps you to create Spring-powered, production-grade applications and services with absolute minimum fuss.

https://spring.io/projects/spring-boot

Apache License 2.0

75.19k stars 40.69k forks source link

Support Certificate Revocation List in embedded web server SSL configuration #6171

Open cfieber opened 8 years ago

cfieber commented 8 years ago

When using SSL client authentication, the ability to revoke and reject a client certificate is useful to ensure that a leaked certificate is no longer able to authenticate with the service without having to create a new CA and truststore.

In Ssl.java add a crlFile attribute as path to the CRL file

In TomcatEmbeddedServletContainerFactory.java#configureSsl (or arguably in TomcatEmbeddedServletContainerFactory.java#configureSslClientAuth only if clientAuth is need or want since the crlFile is used to validate clients) call protocol.setCrlFile

Jetty's SslContextFactory supports setting a crlPath

Undertow looks not so much to support it out of the box, however it does allow TrustManager configuration so the equivalent of org.apache.tomcat.util.net.jsse.JSSESocketFactory#getTrustManagers could be added in UndertowEmbeddedServletContainerFactory

bvulaj commented 6 years ago

Is there currently any workaround for this using embedded Tomcat?

wilkinsona commented 6 years ago

@bvulaj Yes. You can use a connector customiser to access the connector's protocol and configure its crl file. Something like this:

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return (container) -> {
        if (container instanceof TomcatEmbeddedServletContainerFactory) {
            ((TomcatEmbeddedServletContainerFactory) container)
                    .addConnectorCustomizers((connector) -> {
                ((AbstractHttp11Protocol<?>) connector.getProtocolHandler())
                        .setCrlFile("…");
            });
        }
    };
}

bobtiernay-okta commented 6 years ago

Looks like this only works for Spring Boot 1.x. Going to try to attempt this for Spring Boot 2. Would be awesome if Spring could help tweak this out of the box for Tomcat. Is the team open to that in the form of PRs?

Cheers!

wilkinsona commented 6 years ago

The general approach will work in 2.0, but you need to use a WebServerCustomizer. A PR would be most welcome. Thank you. To be considered, we’d ideally want it to cover all four containers (Jetty, Netty, Tomcat, and Undertow). Some investigation of what’s possible with Netty and Undertow would be needed.