How to Enable (D)TLS Certificate Revocation Checking?

By default SNMP4J does not perform certification revocation checking when establishing or accepting DTLS or TLS connections.

To enable revocation checking, there are basically three options:

Provide a CRL file for the cert path checking
Use OCSP revocation checking
Other cert patch checking

CRL

CRL File (OpenSSL Format)

// Enable revocation checking in Java PKI (cannot be changed again in runtime):
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
 
 
TLSTM tlstmCommandSender = new TLSTM();
tlstmComamndSender.setServerEnabled(false);
// Activate CRL checking for command sender:
tlstmCommandSender.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_servers.pem").toURI().toString());
 
 
TLSTM tlstmCommandResponder = new TLSTM(new TlsAddress("127.0.0.1/0"));
// Activate CRL checking for command responder:
tlstmCommandResponder.setX09CertificateRevocationListURI(getClass().getResource("tls/crl_clients.pem").toURI().toString());

OCSP

OSCP Revocation Checking

System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");

CRL​

OCSP​

CRL

OCSP