OCSP Stapling Checks #756
Merged
OCSP Stapling Checks #756
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michael-simons
requested changes
Aug 20, 2020
Contributor
michael-simons
left a comment
michael-simons
left a comment
There was a problem hiding this comment.
Great work. There are only some minor changes regarding tests and method visibility.
I also think we should keep the way loading certs through the keystore as opposed to the intermediate suggestion with the TrustAnchors.
As this is for 4.2, we can maybe make the CertificateTool final and add a private constructor too (we tend to do this in OGM and Spring world for those utils classes).
driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java
Outdated
Show resolved
Hide resolved
driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java
Outdated
Show resolved
Hide resolved
driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java
Outdated
Show resolved
Hide resolved
driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java
Outdated
Show resolved
Hide resolved
driver/src/test/java/org/neo4j/driver/internal/SecuritySettingsTest.java
Outdated
Show resolved
Hide resolved
driver/src/test/java/org/neo4j/driver/internal/SecuritySettingsTest.java
Outdated
Show resolved
Hide resolved
driver/src/test/java/org/neo4j/driver/internal/SecuritySettingsTest.java
Outdated
Show resolved
Hide resolved
driver/src/test/java/org/neo4j/driver/internal/SecuritySettingsTest.java
Outdated
Show resolved
Hide resolved
driver/src/test/java/org/neo4j/driver/internal/SecuritySettingsTest.java
Outdated
Show resolved
Hide resolved
…cate revocation checking is to be carried out. By default revocation checking is disabled. If enabled with the corresponding server configuration, the driver will check the validity of stapled OCSP (Online Certificate Status Protocol) response(s). These responses are returned during the TLS handshake by the server and if not present, the driver will fail to accept the certificate. See: https://tools.ietf.org/html/rfc6961
gjmwoods
force-pushed
the
4.2-ocsp-checks
branch
from
ca3e866 to
fdc6e95
Compare
michael-simons
approved these changes
Sep 30, 2020
michael-simons
requested changes
Sep 30, 2020
Contributor
michael-simons
left a comment
michael-simons
left a comment
There was a problem hiding this comment.
Only typos in JavaDoc.
driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java
Outdated
Show resolved
Hide resolved
michael-simons
requested changes
Sep 30, 2020
Contributor
michael-simons
left a comment
michael-simons
left a comment
There was a problem hiding this comment.
Again, only docs. I remember us discussing this change in standup. I like it very much and its closer to the standard in this way.
michael-simons
approved these changes
Sep 30, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds the ability for TrustStategy to configure whether or not certificate revocation checking is to be carried out. By default revocation checking is disabled.
If enabled with the corresponding server configuration, the driver will check the validity of stapled OCSP (Online Certificate Status Protocol) response(s). These responses are returned during the TLS handshake by the server and if not present, the driver will fail to accept the certificate.
See: https://tools.ietf.org/html/rfc6961