Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not enable TLS certificate revocation checks by default #553

Merged
merged 3 commits into from
Jun 28, 2024
Merged

Do not enable TLS certificate revocation checks by default #553

merged 3 commits into from
Jun 28, 2024

Conversation

bioball
Copy link
Contributor

@bioball bioball commented Jun 26, 2024
edited
Loading

This addresses an issue where network requests may fail if cert revocation checks error, which may occur due to availability issues, or due to lack of internet access.

This changes the HTTP client to not check revocation on TLS certificates by default.
Users of the Java client can enable this by setting Java property com.sun.net.ssl.checkRevocation to true.

Users of the native executables will not perform revocation checks.

@bioball bioball force-pushed the soft-fail-ocsp branch 3 times, most recently from 5c9d43c to c8dc5d8 Compare June 26, 2024 23:22
@bioball
Make OCSP checks soft-fail
1940627 
This addresses an issue where network requests may fail if cert revocation checks
error, which may occur due to availaibility issues, or due to lack of internet access.

This also changes the built-in certs to be loaded from resources, which lets us enable
soft-fail when CA certs come from Pkl's built-in certs.
@bioball bioball changed the title Make OCSP checks soft-fail Do not enable TLS certificate revocation checks by default Jun 27, 2024
bioball
bioball commented Jun 27, 2024
View reviewed changes
pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java
var pkixParameters = new PKIXBuilderParameters(trustAnchors, new X509CertSelector());
// equivalent of "com.sun.net.ssl.checkRevocation=true"
pkixParameters.setRevocationEnabled(true);
pkixParameters.addCertPathChecker(revocationChecker);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using PKIXBuilderParameters results in revocation checking being enabled by default when testing this locally.

So, I changed this to using KeyStore instead, which results in the Java client looking for property com.sun.net.ssl.checkRevocation before it does any revocation checks.

@bioball bioball merged commit 51d7265 into apple:main Jun 28, 2024
5 checks passed
@bioball bioball deleted the soft-fail-ocsp branch June 28, 2024 15:57
bioball added a commit that referenced this pull request Jun 28, 2024
@bioball
Do not enable TLS certificate revocation checks by default (#553)
da19c39 
This addresses an issue where network requests may fail if cert revocation checks
error, which may occur due to availability issues, or due to lack of internet access.

Revocation checking can still be enabled by setting JVM property com.sun.net.ssl.checkRevocation if on the JVM.

Also:
* Load built-in certs from resources, and move them to pkl-commons-cli
* Fix an issue where HttpInitException is not caught when loading a module
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holzensp holzensp holzensp approved these changes

@stackoverflow stackoverflow stackoverflow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bioball @stackoverflow @holzensp