mirror of
https://github.com/google/nomulus.git
synced 2025-07-06 19:23:31 +02:00
Respect certificate validity period (#391)
Client SSL handler already performs the necessary validation. Only tests are added. Server SSL handler does not currently check for the validity period of the client certificate as the insecure trust manager is used. This PR added the check but does not actually terminate the connection yet. It will log the expired certificates so that we can contact the registrars to update them. Once we are certain that all certificates are updated, we can turn off dryrun mode. We should also consider checking if the certificate has too long a validity period as it defeats the purpose of using regularly updated certificates to deprecate insecure cipher suites.
This commit is contained in:
parent
9be5091c84
commit
c584de9f72
17 changed files with 473 additions and 35 deletions
|
@ -162,7 +162,8 @@ public final class EppProtocolModule {
|
|||
SslProvider sslProvider,
|
||||
Supplier<PrivateKey> privateKeySupplier,
|
||||
Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
|
||||
return new SslServerInitializer<>(true, sslProvider, privateKeySupplier, certificatesSupplier);
|
||||
return new SslServerInitializer<>(
|
||||
true, false, sslProvider, privateKeySupplier, certificatesSupplier);
|
||||
}
|
||||
|
||||
@Provides
|
||||
|
|
|
@ -134,6 +134,7 @@ public final class WebWhoisProtocolsModule {
|
|||
SslProvider sslProvider,
|
||||
Supplier<PrivateKey> privateKeySupplier,
|
||||
Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
|
||||
return new SslServerInitializer<>(false, sslProvider, privateKeySupplier, certificatesSupplier);
|
||||
return new SslServerInitializer<>(
|
||||
false, false, sslProvider, privateKeySupplier, certificatesSupplier);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue