§Configuring Certificate Revocation
Certificate Revocation in JSSE can be done through two means: certificate revocation lists (CRLs) and OCSP.
Certificate Revocation can be very useful in situations where a server’s private keys are compromised, as in the case of Heartbleed.
Certificate Revocation is disabled by default in JSSE. It is defined in two places:
To enable OCSP, you must set the following system properties on the command line:
java -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true
After doing the above, you can enable certificate revocation in the client:
ws.ssl.checkRevocation = true
checkRevocation will set the internal
ocsp.enable security property automatically:
And this will set OCSP checking when making HTTPS requests.
NOTE: Enabling OCSP requires a round trip to the OCSP responder. This adds a notable overhead on HTTPS calls, and can make calls up to 33% slower. The mitigation technique, OCSP stapling, is not supported in JSSE.
Or, if you wish to use a static CRL list, you can define a list of URLs:
ws.ssl.revocationLists = [ "http://example.com/crl" ]
To test certificate revocation is enabled, set the following options:
ws.ssl.debug = [ "certpath", "ocsp" ]
And you should see something like the following output:
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: connecting to OCSP service at: http://gtssl2-ocsp.geotrust.com certpath: OCSP response status: SUCCESSFUL certpath: OCSP response type: basic certpath: Responder's name: CN=GeoTrust SSL CA - G2 OCSP Responder, O=GeoTrust Inc., C=US certpath: OCSP response produced at: Wed Mar 19 13:57:32 PDT 2014 certpath: OCSP number of SingleResponses: 1 certpath: OCSP response cert #1: CN=GeoTrust SSL CA - G2 OCSP Responder, O=GeoTrust Inc., C=US certpath: Status of certificate (with serial number 159761413677206476752317239691621661939) is: GOOD certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck. certpath: OCSP response is signed by an Authorized Responder certpath: Verified signature of OCSP Response certpath: Response's validity interval is from Wed Mar 19 13:57:32 PDT 2014 until Wed Mar 26 13:57:32 PDT 2014 certpath: -checker7 validation succeeded
Next: Configuring Hostname Verification