thenatog commented on a change in pull request #3204: NIFI-1364 - Removed
custom OCSP certificate revocation checking code and replaced with just using
Java native implementation.
URL: https://github.com/apache/nifi/pull/3204#discussion_r304543572
##########
File path:
nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SSLContextFactory.java
##########
@@ -111,4 +117,28 @@ public SSLContext createSslContext() throws
KeyStoreException, IOException, NoSu
return sslContext;
}
+
+ private TrustManagerFactory getTrustManagerFactory(KeyStore trustStore,
boolean ocspEnabled, String responderURL) throws KeyStoreException,
InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+
+ TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+
+ if (ocspEnabled) {
+ if
("PKIX".equalsIgnoreCase(TrustManagerFactory.getDefaultAlgorithm())) {
+ PKIXBuilderParameters pbParams = new
PKIXBuilderParameters(trustStore, new X509CertSelector());
+ pbParams.setRevocationEnabled(true);
+ Security.setProperty("ocsp.enable", "true");
+ if(!StringUtils.isBlank(responderURL)) {
Review comment:
Yes, that is the functionality as you've described. I'll definitely look
into adding DEBUG log messages.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
