By default SNMP4J does not perform certification revocation checking when establishing or accepting DTLS or TLS connections.
To enable revocation checking, there are basically three options:
// Enable revocation checking in Java PKI (cannot be changed again in runtime):
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
TLSTM tlstmCommandSender = new TLSTM();
tlstmComamndSender.setServerEnabled(false);
// Activate CRL checking for command sender:
tlstmCommandSender.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_servers.pem").toURI().toString());
TLSTM tlstmCommandResponder = new TLSTM(new TlsAddress("127.0.0.1/0"));
// Activate CRL checking for command responder:
tlstmCommandResponder.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_clients.pem").toURI().toString());
|
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true"); |
/**
* Creates a default revocation checker with CRL check only (no OCSP) and check is limited to end entity only.
* @return
* a simple revocation checker to be used with {@link #setPKIXRevocationChecker(PKIXRevocationChecker)}.
*/
public PKIXRevocationChecker createDefaultPKIXRevocationChecker() {
CertPathBuilder cpb;
try {
cpb = CertPathBuilder.getInstance(TrustManagerFactory.getDefaultAlgorithm());
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker)cpb.getRevocationChecker();
// Relaxed checking - avoid OCSP because of 33% overhead on TLS connection creation:
revocationChecker.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
PKIXRevocationChecker.Option.ONLY_END_ENTITY,
PKIXRevocationChecker.Option.NO_FALLBACK)); // do not fall back to OCSP
return revocationChecker;
}
...
TLSTM tlstm = new TLSTM();
tlstm.setServerEnabled(false);
tlstm.setPKIXRevocationChecker(createDefaultPKIXRevocationChecker);
... |