Skip to content

Commit

Permalink
feat: Add notice when revocation is enabled but client-driven OCSP is…
Browse files Browse the repository at this point in the history
… not

If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user.
  • Loading branch information
viv authored and guusdk committed Nov 25, 2024
1 parent bbe98bd commit 930041a
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 0 deletions.
1 change: 1 addition & 0 deletions i18n/src/main/resources/openfire_i18n.properties
Original file line number Diff line number Diff line change
Expand Up @@ -1635,6 +1635,7 @@ connection.advanced.settings.clientauth.label_disabled=<b>Disabled</b> - Peer ce
connection.advanced.settings.clientauth.label_wanted=<b>Wanted</b> - Peer certificates are verified, but only when they are presented by the peer.
connection.advanced.settings.clientauth.label_needed=<b>Needed</b> - A connection cannot be established if the peer does not present a valid certificate.
connection.advanced.settings.clientauth.label_strict_cert_validation=If attempting to validate a certificate fails, the connection is closed and not attempted via dialback authentication.
connection.advanced.settings.certchain.ocsp.warning=Your server is configured with the Java security property <code>ocsp.enable=false</code> which disables client-driven OCSP certificate revocation checking. While OCSP stapling validation and CRL checking remain active, Openfire will not perform direct OCSP requests to verify certificate status.
connection.advanced.settings.certchain.boxtitle=Certificate chain checking
connection.advanced.settings.certchain.info=These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.
connection.advanced.settings.certchain.label_selfsigned=Allow peer certificates to be self-signed.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import org.jivesoftware.openfire.keystore.*;

import java.net.InetAddress;
import java.security.Security;
import java.util.*;

/**
Expand Down Expand Up @@ -50,6 +51,7 @@ public class ConnectionConfiguration
private final Connection.CompressionPolicy compressionPolicy;

// derived
private final boolean isOcspEnabled;
private final IdentityStore identityStore;
private final TrustStore trustStore;

Expand Down Expand Up @@ -100,6 +102,7 @@ public ConnectionConfiguration( ConnectionType type, boolean enabled, int maxThr
this.compressionPolicy = compressionPolicy;
this.strictCertificateValidation = strictCertificateValidation;

this.isOcspEnabled = Boolean.parseBoolean(Security.getProperty("ocsp.enable"));
final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
this.identityStore = certificateStoreManager.getIdentityStore( type );
this.trustStore = certificateStoreManager.getTrustStore( type );
Expand Down Expand Up @@ -229,6 +232,19 @@ public TrustStore getTrustStore()
return trustStore;
}

/**
* Indicates if client-driven Online Certificate Status Protocol (OCSP) is enabled.
*
* This is a prerequisite to enable client-driven OCSP, it has no effect unless revocation
* checking is also enabled.
*
* @return true if client-driven OCSP is enabled, otherwise false.
*/
public boolean isOcspEnabled()
{
return isOcspEnabled;
}

public boolean isEnabled()
{
return enabled;
Expand Down
6 changes: 6 additions & 0 deletions xmppserver/src/main/webapp/connection-settings-advanced.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,12 @@
</admin:infoBox>
</c:if>

<c:if test="${configuration.verifyCertificateRevocation && !configuration.ocspEnabled}">
<admin:infobox type="info">
<fmt:message key="connection.advanced.settings.certchain.ocsp.warning" />
</admin:infobox>
</c:if>

<!-- Introduction at the top of the page -->
<p>
<fmt:message key="connection.advanced.settings.info">
Expand Down

0 comments on commit 930041a

Please sign in to comment.