Bug 1318154 - SSL - client accepts server's certificate even if server's root CA is expired
Summary: SSL - client accepts server's certificate even if server's root CA is expired
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Data Virtualization 6
Classification: JBoss
Component: Teiid
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ER2
: 6.3.0
Assignee: Van Halbert
QA Contact: Juraj Duráni
URL:
Whiteboard:
: 1318167 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-16 07:52 UTC by Juraj Duráni
Modified: 2016-08-24 11:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-24 11:40:18 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker TEIID-4080 0 Major Resolved Prevent expired client/server certificates from being accepted 2017-07-27 09:08:28 UTC

Description Juraj Duráni 2016-03-16 07:52:07 UTC 
Description of problem:
If SSL is enabled (1-way or 2-way) server provides to the client certificate which must be signed by valid certificate of trusted CA.
If server provides certificate which is signed by certificate of root CA which already expired client accepts this certificate. Client should not accept such certificate.

This affects 1-way and 2-way authentication modes.
Comment 1 Van Halbert 2016-03-18 19:32:01 UTC 
*** Bug 1318167 has been marked as a duplicate of this bug. ***
Comment 2 JBoss JIRA Server 2016-03-21 19:03:36 UTC 
Steven Hawkins <shawkins> updated the status of jira TEIID-4080 to Resolved
Comment 3 Juraj Duráni 2016-05-09 08:26:17 UTC 
New client property (org.teiid.ssl.checkExpired) and transport property (truststore-check-expired) have been added. User needs to set those to prevent accepting certificates which are signed with untrusted or expired certificates of CA.
Note You need to log in before you can comment on or make changes to this bug.