How-to Enable (D)TLS Certificate Revocation Checking?
Last modified by Frank Fock on 2024/05/25 20:45
By default SNMP4J does not perform certification revocation checking when establishing or accepting DTLS or TLS connections.
To enable revocation checking, there are basically three options:
- Provide a CRL file for the cert path checking
- Use OCSP revocation checking
- Other cert patch checking
CRL
CRL File (OpenSSL Format)
// Enable revocation checking in Java PKI (cannot be changed again in runtime):
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
TLSTM tlstmCommandSender = new TLSTM();
tlstmComamndSender.setServerEnabled(false);
// Activate CRL checking for command sender:
tlstmCommandSender.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_servers.pem").toURI().toString());
TLSTM tlstmCommandResponder = new TLSTM(new TlsAddress("127.0.0.1/0"));
// Activate CRL checking for command responder:
tlstmCommandResponder.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_clients.pem").toURI().toString());
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
TLSTM tlstmCommandSender = new TLSTM();
tlstmComamndSender.setServerEnabled(false);
// Activate CRL checking for command sender:
tlstmCommandSender.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_servers.pem").toURI().toString());
TLSTM tlstmCommandResponder = new TLSTM(new TlsAddress("127.0.0.1/0"));
// Activate CRL checking for command responder:
tlstmCommandResponder.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_clients.pem").toURI().toString());
OCSP
OSCP Revocation Checking
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
Security.setProperty("ocsp.enable", "true");