> The unavailableCRLPolicy can be either of the following: > > org.jasig.cas.adaptors.x509.authentication.handler.support.AllowRevocationPolicy > org.jasig.cas.adaptors.x509.authentication.handler.support.DenyRevocationPolicy > > While the Deny policy is arguably more secure, its use has dramatic > consequences when CRL data is unavailable: all X.509 authentication > will fail. In our opinion the availability/security trade off isn't > worth it for this policy.
If I'm not mistaken, two checks are done : - Issuer CRL check first - Subject CRL check My problem is that issuer CRL is only available through a LDAP query... and it seems that CRL cannot be checked when they are provided by LDAP directory : 2011-06-10 15:50:54,243 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - Certificate found in request. 2011-06-10 15:50:54,246 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Evaluating CN=GIP-CPS CLASSE-3, OU=GIP-CPS STRUCTURE, O=GIP-CPS, C=FR, SerialNumber=70176 2011-06-10 15:50:54,246 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.CRLDistributionPointRevocationChecker] - Evaluating certificate revocation status for CN=GIP-CPS CLASSE-3, OU=GIP-CPS STRUCTURE, O=GIP-CPS, C=FR, SerialNumber=70176 2011-06-10 15:50:54,248 WARN [org.jasig.cas.adaptors.x509.authentication.handler.support.CRLDistributionPointRevocationChecker] - *ldap://annuaire.gip-cps.fr/ou=gip-cps structure,o=gip-cps,c=fr?certificaterevocationlist;binary is not a valid distribution point URI*. 2011-06-10 15:50:54,249 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.CRLDistributionPointRevocationChecker] - Distribution points for CN=GIP-CPS CLASSE-3, OU=GIP-CPS STRUCTURE, O=GIP-CPS, C=FR, SerialNumber=70176: []. 2011-06-10 15:50:54,249 WARN [org.jasig.cas.adaptors.x509.authentication.handler.support.CRLDistributionPointRevocationChecker] - CRL data is not available for CN=GIP-CPS CLASSE-3, OU=GIP-CPS STRUCTURE, O=GIP-CPS, C=FR, SerialNumber=70176 2011-06-10 15:50:54,249 WARN [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Failed to validate CN=GIP-CPS CLASSE-3, OU=GIP-CPS STRUCTURE, O=GIP-CPS, C=FR, SerialNumber=70176 Although ldap://annuaire.gip-cps.fr/ou=gip-cps structure,o=gip-cps,c=fr?certificaterevocationlist;binary is a correct URL, CRL data is not fetched. I don't know how to fix this problem... any idea ? Rgds. -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
