When using SSL client authentication, the ability to revoke and reject a client certificate is useful to ensure that a leaked certificate is no longer able to authenticate with the service without having to create a new CA and truststore.
In Ssl.java add a crlFile attribute as path to the CRL file
In TomcatEmbeddedServletContainerFactory.java#configureSsl (or arguably in TomcatEmbeddedServletContainerFactory.java#configureSslClientAuth only if clientAuth is need or want since the crlFile is used to validate clients) call protocol.setCrlFile
Jetty's SslContextFactory supports setting a crlPath
Undertow looks not so much to support it out of the box, however it does allow TrustManager configuration so the equivalent of org.apache.tomcat.util.net.jsse.JSSESocketFactory#getTrustManagers could be added in UndertowEmbeddedServletContainerFactory
Comment From: bvulaj
Is there currently any workaround for this using embedded Tomcat?
Comment From: wilkinsona
@bvulaj Yes. You can use a connector customiser to access the connector's protocol and configure its crl file. Something like this:
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return (container) -> {
if (container instanceof TomcatEmbeddedServletContainerFactory) {
((TomcatEmbeddedServletContainerFactory) container)
.addConnectorCustomizers((connector) -> {
((AbstractHttp11Protocol<?>) connector.getProtocolHandler())
.setCrlFile("…");
});
}
};
}
Comment From: bobtiernay-okta
Looks like this only works for Spring Boot 1.x. Going to try to attempt this for Spring Boot 2. Would be awesome if Spring could help tweak this out of the box for Tomcat. Is the team open to that in the form of PRs?
Cheers!
Comment From: wilkinsona
The general approach will work in 2.0, but you need to use a WebServerCustomizer. A PR would be most welcome. Thank you. To be considered, we’d ideally want it to cover all four containers (Jetty, Netty, Tomcat, and Undertow). Some investigation of what’s possible with Netty and Undertow would be needed.