From 930041a1a4da7ecde0d864981faa6d50a5d419c0 Mon Sep 17 00:00:00 2001 From: Matthew Vivian Date: Fri, 22 Nov 2024 11:18:01 +0000 Subject: [PATCH] feat: Add notice when revocation is enabled but client-driven OCSP is not If Openfire is configured to do revocation checking, but Java is configured to not support client-driven OCSP checking, we now inform the user. --- i18n/src/main/resources/openfire_i18n.properties | 1 + .../openfire/spi/ConnectionConfiguration.java | 16 ++++++++++++++++ .../main/webapp/connection-settings-advanced.jsp | 6 ++++++ 3 files changed, 23 insertions(+) diff --git a/i18n/src/main/resources/openfire_i18n.properties b/i18n/src/main/resources/openfire_i18n.properties index 494e74daed..1cca96b52a 100644 --- a/i18n/src/main/resources/openfire_i18n.properties +++ b/i18n/src/main/resources/openfire_i18n.properties @@ -1635,6 +1635,7 @@ connection.advanced.settings.clientauth.label_disabled=Disabled - Peer ce connection.advanced.settings.clientauth.label_wanted=Wanted - Peer certificates are verified, but only when they are presented by the peer. connection.advanced.settings.clientauth.label_needed=Needed - A connection cannot be established if the peer does not present a valid certificate. connection.advanced.settings.clientauth.label_strict_cert_validation=If attempting to validate a certificate fails, the connection is closed and not attempted via dialback authentication. +connection.advanced.settings.certchain.ocsp.warning=Your server is configured with the Java security property ocsp.enable=false which disables client-driven OCSP certificate revocation checking. While OCSP stapling validation and CRL checking remain active, Openfire will not perform direct OCSP requests to verify certificate status. connection.advanced.settings.certchain.boxtitle=Certificate chain checking connection.advanced.settings.certchain.info=These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections. connection.advanced.settings.certchain.label_selfsigned=Allow peer certificates to be self-signed. diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java b/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java index 9984b1a69a..24bcf49272 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/spi/ConnectionConfiguration.java @@ -20,6 +20,7 @@ import org.jivesoftware.openfire.keystore.*; import java.net.InetAddress; +import java.security.Security; import java.util.*; /** @@ -50,6 +51,7 @@ public class ConnectionConfiguration private final Connection.CompressionPolicy compressionPolicy; // derived + private final boolean isOcspEnabled; private final IdentityStore identityStore; private final TrustStore trustStore; @@ -100,6 +102,7 @@ public ConnectionConfiguration( ConnectionType type, boolean enabled, int maxThr this.compressionPolicy = compressionPolicy; this.strictCertificateValidation = strictCertificateValidation; + this.isOcspEnabled = Boolean.parseBoolean(Security.getProperty("ocsp.enable")); final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager(); this.identityStore = certificateStoreManager.getIdentityStore( type ); this.trustStore = certificateStoreManager.getTrustStore( type ); @@ -229,6 +232,19 @@ public TrustStore getTrustStore() return trustStore; } + /** + * Indicates if client-driven Online Certificate Status Protocol (OCSP) is enabled. + * + * This is a prerequisite to enable client-driven OCSP, it has no effect unless revocation + * checking is also enabled. + * + * @return true if client-driven OCSP is enabled, otherwise false. + */ + public boolean isOcspEnabled() + { + return isOcspEnabled; + } + public boolean isEnabled() { return enabled; diff --git a/xmppserver/src/main/webapp/connection-settings-advanced.jsp b/xmppserver/src/main/webapp/connection-settings-advanced.jsp index 3b396ea5b3..1641d49d1e 100644 --- a/xmppserver/src/main/webapp/connection-settings-advanced.jsp +++ b/xmppserver/src/main/webapp/connection-settings-advanced.jsp @@ -310,6 +310,12 @@ + + + + + +