Support Certificate Revocation List in embedded web server SSL configuration

[cfieber]

When using SSL client authentication, the ability to revoke and reject a client certificate is useful to ensure that a leaked certificate is no longer able to authenticate with the service without having to create a new CA and truststore.

In Ssl.java add a crlFile attribute as path to the CRL file

In TomcatEmbeddedServletContainerFactory.java#configureSsl (or arguably in TomcatEmbeddedServletContainerFactory.java#configureSslClientAuth only if clientAuth is need or want since the crlFile is used to validate clients) call protocol.setCrlFile

Jetty's SslContextFactory supports setting a crlPath

Undertow looks not so much to support it out of the box, however it does allow TrustManager configuration so the equivalent of org.apache.tomcat.util.net.jsse.JSSESocketFactory#getTrustManagers could be added in UndertowEmbeddedServletContainerFactory

[bvulaj]

Is there currently any workaround for this using embedded Tomcat?

[wilkinsona]

@bvulaj Yes. You can use a connector customiser to access the connector's protocol and configure its crl file. Something like this:

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return (container) -> {
        if (container instanceof TomcatEmbeddedServletContainerFactory) {
            ((TomcatEmbeddedServletContainerFactory) container)
                    .addConnectorCustomizers((connector) -> {
                ((AbstractHttp11Protocol<?>) connector.getProtocolHandler())
                        .setCrlFile("…");
            });
        }
    };
}

[bobtiernay-okta]

Looks like this only works for Spring Boot 1.x. Going to try to attempt this for Spring Boot 2. Would be awesome if Spring could help tweak this out of the box for Tomcat. Is the team open to that in the form of PRs?

Cheers!

[wilkinsona]

The general approach will work in 2.0, but you need to use a WebServerCustomizer. A PR would be most welcome. Thank you. To be considered, we’d ideally want it to cover all four containers (Jetty, Netty, Tomcat, and Undertow). Some investigation of what’s possible with Netty and Undertow would be needed.