This repository has been archived by the owner on Oct 29, 2019. It is now read-only.
F/ssl certificate checking #96
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bcarlin
reviewed
Apr 17, 2018
| } catch (CertificateExpiredException e) { | ||
| //TODO Certificate Handling: Pretify ToString | ||
| if(!valid) { | ||
| throw new CertificateExpiredException("The folowing certificate has expired\n" |
There was a problem hiding this comment.
- typo on "folowing"
- do not put newlines in logs... It makes ther harder to parse (f.ex: a grep would not show which certificate the message is about)
| logger.error("Failed to initialize the client-side SSLContext", e); | ||
| throw new Error("Failed to initialize the client-side SSLContext", | ||
| e); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| private SSLContext createSslContext(WaarpSecureKeyStore ggSecureKeyStore) |
| } catch (CertificateExpiredException e) { | ||
| logger.error("The certificate " + alias + | ||
| " has expired and will be removed from the keystore."); | ||
| if (!deleteKeyFromKeyStore(alias)) { |
There was a problem hiding this comment.
This works well for truststores (it keeps them clean), but it does not work for keystores and adminstores : the cert is discarded, the server still listens on TLS ports, and connection attempts result in "io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common" unhandled exceptions.
There should be a flag to decide whether it should be cleaned or not.
Going further : is it possible, higher at server start, to disable the SSL component which has an invalid certificate (R66 SSL for keystore and the admin HTTP interface for the adminstore) with a critical log ?
|
Great! |
…ssl.WaarpSecureKeyStore
Finetune keystore verification
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Better validation of SSL certificate