[cas-dev] X509 Authentication + revoked certificates

Arnaud Lesueur arnaud.lesueur at gmail.com
Wed May 21 17:19:56 EDT 2008 

Pavlos,

Did you tried to turn CRL check on the Security Provider ?
If your client certificate does have CRLDP extensions with a Sun JVM
with Sun Security Provider you should be able to it (not tested yet
sorry).

In order to do so, you have to set those system properties :
com.sun.net.ssl.checkRevocation=true
com.sun.security.enableCRLDP=true

You might have more debug log using : java.security.debug=certpath

You might also be capable to do it using an OCSP responder on a Sun JRE 6:
http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html

Regards,

Arnaud Lesueur

On Wed, May 21, 2008 at 4:45 PM, Romain BOURGUE
<romain.bourgue at agriculture.gouv.fr> wrote:
> With cas-server-support-x509, a certificate is indeed treated as valid :
>  1- if it matches a trusted issuer dn (subjectDnPattern)...
>  2- ...within a specified range of intermediate CAs (maxPathLength),
>  3- if it's not expired (and already valid),
>  4- if its key usage validate a optionally specified one.
>
> but it doesn't check any CertificateRevocationList (CRL)  (yet?).
>
> If you want this check, the easiest way is to rely on mod_ssl installed on a
> apache frontal webserver. The SSLCARevocationPath directive allows you specify a
> list of CRLs the certificate will be checked against.
>
> You can also develop your own authentication handler....
>
>
> Romain
>
> Pavlos Drandakis a écrit :
>> Hello all,
>>
>>  From what I understand, a certificate is treated as valid if current
>> time (when checking) is between certificate's creation and expiration
>> time. So if a revoked certificate has not expired yet, is considered
>> valid and access is granted, when using X509 authentication. Is there
>> any way to prevent users from logging into CAS when presenting revoked
>> certificates?
>>
>> Thanks,
>>
>> Pavlos
>>
>> (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support)
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cas-dev mailing list
>> cas-dev at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>



-- 
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur

More information about the cas-dev mailing list