[英]Jetty 9 - Enable OCSP Stapling for domain-validated certificate
I'm having some issues in enabling OCSP stapling in Jetty 9 and I really hope that someone can help me here...hopefully! 我在Jetty 9中启用OCSP装订时遇到一些问题,我真的希望有人能在这里为我提供帮助...希望!
For my tests I purchased an SSL certificate from PositiveSSL (Comodo), which gave me a valid/trusted certificate. 为了进行测试,我从PositiveSSL(Comodo)购买了SSL证书,该证书给了我有效/受信任的证书。 The domain in this example is "dev.mydomain.com", and it will simply point to my local ip (127.0.0.1).
在此示例中的域是“ dev.mydomain.com”,它将仅指向我的本地IP(127.0.0.1)。
I then transformed the provided certificate into the Java keystore format. 然后,我将提供的证书转换为Java密钥库格式。
# Convert certificate to pkcs12
openssl pkcs12 -export -out dev.mydomain.com.pkcs12 -inkey dev.mydomain.com.key -in dev_mydomain_com.crt
# Create java keystore
keytool -importkeystore -srckeystore dev.mydomain.com.pkcs12 -srcstoretype pkcs12 -destkeystore dev.mydomain.com.keystore -deststoretype JKS
This is the simplified Java code I used for creating the Jetty server, activate the certificate, listen on the 443 port (https), and in theory activate OCSP: 这是我用来创建Jetty服务器,激活证书,侦听443端口(https)以及理论上激活OCSP的简化Java代码:
Server _server = new Server(); // org.eclipse.jetty.server.Server
HttpConfiguration httpsConfig = new HttpConfiguration();
HttpConnectionFactory http1 = new HttpConnectionFactory(httpsConfig);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("dev.mydomain.com.keystore");
sslContextFactory.setKeyStorePassword("mypass");
sslContextFactory.setKeyManagerPassword("mypass");
// sslContextFactory.setValidateCerts(true); // tested
sslContextFactory.setEnableOCSP(true);
SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, http1.getProtocol());
// SSL Connector
ServerConnector sslConnector = new ServerConnector(_server, ssl, http1);
sslConnector.setHost("127.0.0.1");
sslConnector.setPort(443);
_server.addConnector(sslConnector);
_server.start();
_server.join();
On Java VM startup I'm also enabling these system properties: 在Java VM启动时,我还将启用以下系统属性:
Security.setProperty("ocsp.enable", "true");
System.setProperty("jdk.tls.server.enableStatusRequestExtension", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
After several tries, I tried also importing the certificate chain into the keystore, but it didn't make any difference on the outcome. 经过几次尝试,我也尝试将证书链导入密钥库,但是对结果没有任何影响。
keytool -import -trustcacerts -alias ca -file COMODORSAAddTrustCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias dv -file COMODORSADomainValidationSecureServerCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias te -file AddTrustExternalCARoot.crt -keystore dev.mydomain.com.keystore
To test whether OCSP was correctly enabled I used a tool called sslyze , but whatever I tried to do the response for OCSP was always negative: 为了测试OCSP是否正确启用,我使用了一个名为sslyze的工具,但是我尝试对OCSP做出的响应始终是负面的:
OCSP Stapling - NOT SUPPORTED - Server did not send back an OCSP response
Here is the full output of sslyze: 这是sslyze的完整输出:
C:\Tools\sslyze-1_4_1>sslyze --certinfo dev.mydomain.com:443
AVAILABLE PLUGINS
-----------------
OpenSslCipherSuitesPlugin
RobotPlugin
CertificateInfoPlugin
FallbackScsvPlugin
SessionRenegotiationPlugin
HeartbleedPlugin
CompressionPlugin
OpenSslCcsInjectionPlugin
SessionResumptionPlugin
HttpHeadersPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
dev.mydomain.com:443 => 127.0.0.1
SCAN RESULTS FOR DEV.MYDOMAIN.COM:443 - 127.0.0.1
------------------------------------------------
* Certificate Information:
Content
SHA1 Fingerprint: 7c398c59bac3a231efc9823c6958a7bc711bfc0e
Common Name: dev.mydomain.com
Issuer: COMODO RSA Domain Validation Secure Server CA
Serial Number: 103185809289011988533713848804380317148
Not Before: 2018-04-18 00:00:00
Not After: 2019-04-18 23:59:59
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: ['dev.mydomain.com', 'www.dev.mydomain.com']
Trust
Hostname Validation: OK - Certificate matches dev.mydomain.com
Android CA Store (8.1.0_r9): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
iOS CA Store (11): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Mozilla CA Store (2018-01-14): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Windows CA Store (2018-02-09): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: dev.mydomain.com
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
SCAN COMPLETED IN 0.78 S
------------------------
Sorry for the long post, but I tried to provide as much details as possible! 抱歉,很长的帖子,但我尝试提供尽可能多的细节!
Thank you! 谢谢! Yuvi
尤维
There is really not much that Jetty does with the OSCP configuration values. 实际上,Jetty对OSCP配置值所做的工作并不多。
The 3 key configuration values ... 3个关键配置值...
SslContextFactory.setEnableOCSP(true)
That configuration simply sets the ocsp.enable
JVM Security property. 该配置仅设置
ocsp.enable
JVM Security属性。
SslContextFactory.setOcspResponderURL(ocspResponderURL)
If setEnableOSCP(true)
and the OcspResponderURL
is set, then the ocsp.responderURL
JVM Security property is set. 如果
setEnableOSCP(true)
和OcspResponderURL
设置,那么ocsp.responderURL
JVM的安全属性设置。
The Jetty Code 码头代码
if (_enableOCSP)
{
// Enable On-Line Certificate Status Protocol (OCSP) support
Security.setProperty("ocsp.enable", "true");
if (_ocspResponderURL != null)
{
// Override location of OCSP Responder
Security.setProperty("ocsp.responderURL", _ocspResponderURL);
}
}
These 2 are JVM level configurations, and at this point its the JVM's responsibility to add the OCSP stuff to the TLS/SSL negotiation. 这2个是JVM级别的配置,这时JVM负责将OCSP内容添加到TLS / SSL协商中。
SslContextFactory.setValidateCerts(true)
If this is set, then the values of the other two are passed into a custom Eclipse Jetty CertificateValidator
. 如果已设置,则将其他两个值传递到定制的Eclipse Jetty
CertificateValidator
。
More Jetty Code 更多码头代码
if (isValidateCerts())
{
CertificateValidator validator = new CertificateValidator(trustStore, crls);
validator.setMaxCertPathLength(getMaxCertPathLength());
validator.setEnableCRLDP(isEnableCRLDP());
validator.setEnableOCSP(isEnableOCSP());
validator.setOcspResponderURL(getOcspResponderURL());
validator.validate(keyStore, x509C);
}
This is a server side component that just validates the certificates that the server will use on startup. 这是服务器端组件,仅验证服务器在启动时将使用的证书。 It only occurs once, when the keystore/truststore is loaded.
加载密钥库/信任库时,它只会发生一次。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.