XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Unresolved
    • Icon: P4 P4
    • None
    • None
    • security-libs
    • None

      If a certificate's crlDistributionPoints extension includes a crlIssuer field, then CRL used for revocation checking must contain an Issuing Distribution Point (IDP) extension failing which will lead to verification failure of CRL, further leading to a failure in TLS connection.
      The check happens in the below code and is mandated by RFC https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3
      https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java#L352

      `if (pointCrlIssuers != null) {
                  if (idpExt == null || !idpExt.isIndirectCRL()) {
                      return false;
                  }
      ....`

      Logging such failure information would be useful for debugging any certificate validation failure.

            pkumaraswamy Prajwal Kumaraswamy
            pkumaraswamy Prajwal Kumaraswamy
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: