Hi Jeewantha,
I have created CA and client certificates like you asked. And using curl
did the request. Here's what I got at the server log.
INFO - CacheManager OCSPCache Cache Manager Started
INFO - CacheManager CRLCache Cache Manager Started
INFO - RevocationVerificationManager OCSPVerifier
Well first ESB tries with OCSP. If the CA does not support OCSP it tries
with CRL. Both protocols do the same thing but OCSP is newer. Thats why ESB
tries OCSP first.
Did you add the OCSP url in the certificate properly? IINM Digicert should
support OCSP. If OCSP url is added properly, try to
Yeah I've added the url, cert param have these extentions at the runtime
Certificate Extensions: 2
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
]
]
[2]: ObjectId: 2.5.29.31
Hi,
I have debugged the code, In OCSPverifier line no 84
ocspResponse.getStatus() returns integer 6 which is defined as
OCSPRespStatus.UNAUTHORIZED. According to
ietfhttp://www.ietf.org/rfc/rfc2560.txtthis is because the client is
not authorized to make the query to the
server.
On Fri, Mar
+1. That explains it :). Since you've created the Custom certificates I
guess we can write an integration test so that we are done done with this
feature. Please talk to Kasun about the integration test.
Note: I dont think I have handled all the OSCP response status values in
the code. If you
+1.
So when you invoke the HTTPS service with client auth enabled, the
connection should be rejected since there is no OCSP/CRL information in the
client certificate.
But we should test this with some custom made certificates. Create a self
signed *CA certificate* and a *User certificate* signed
[Adding @dev]
Hi Sudheera,
Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder from
the source and added the changed classes again? Its difficult to see which
lines have changed in the patch file.
Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder from
your
Hi Jeewantha,
I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder from
/transport/nhttp/config/ to /transport/http/config/ because those two
classed are common to both nhttp and passthru transports.
Here are the diff files of the two files that I edited.
I used an online tool to
