1:24 a.m.
Hi I was told to send a mail to the developers mailing list regarding the following issue
to get more input from other developers:
https://issues.jboss.org/browse/KEYCLOAK-11818
Our problem is that users who login with mutual client-authentication via X509
certificates are still able to login if the certificates are expired or not valid yet. I
added a pull request - that is also referenced in the issue - that adds a switch that may
be used to validate the notBefore and notAfter timestamps of X509 certificates. From our
side we would say that this is actually a security issue that should be fixed very soon.
Best regards
Pascal Knüppel
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns...
11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<https://jahrestagung-eakte.de/>
Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
Zukunftskongress Staat & Verwaltung |15.-17.06.2020 |
Berlin<https://www.zukunftskongress.info/de/zksv/willkommen>
6:56 a.m.
Looks like a sane PR to me. Tests are missing though. If you use Time from
Keycloak as I mentioned in the PR comments you can tweak the server time in
a test to be able to test this.
On Thu, 7 Nov 2019 at 08:27, Knüppel, Pascal <Pascal.Knueppel(a)governikus.de>
wrote:
Hi I was told to send a mail to the developers mailing list regarding
the
following issue to get more input from other developers:
https://issues.jboss.org/browse/KEYCLOAK-11818
Our problem is that users who login with mutual client-authentication via
X509 certificates are still able to login if the certificates are expired
or not valid yet. I added a pull request - that is also referenced in the
issue - that adds a switch that may be used to validate the notBefore and
notAfter timestamps of X509 certificates. From our side we would say that
this is actually a security issue that should be fixed very soon.
Best regards
Pascal Knüppel
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns...
11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<
https://jahrestagung-eakte.de/>
Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin<
https://www.zukunftskongress.info/de/zksv/willkommen>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:11 a.m.
added unit tests :-)
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns…
11. Jahrestagung E-Akte | 06. + 07.11.2019 |
Berlin<https://jahrestagung-eakte.de/>
Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
Zukunftskongress Staat & Verwaltung |15.-17.06.2020 |
Berlin<https://www.zukunftskongress.info/de/zksv/willkommen>
Von: Stian Thorgersen <sthorger(a)redhat.com>
Gesendet: Donnerstag, 7. November 2019 13:56
An: Knüppel, Pascal <Pascal.Knueppel(a)governikus.de>
Cc: keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] validating client certificates on user login
Looks like a sane PR to me. Tests are missing though. If you use Time from Keycloak as I
mentioned in the PR comments you can tweak the server time in a test to be able to test
this.
On Thu, 7 Nov 2019 at 08:27, Knüppel, Pascal
<Pascal.Knueppel@governikus.de<mailto:Pascal.Knueppel@governikus.de>> wrote:
Hi I was told to send a mail to the developers mailing list regarding the following issue
to get more input from other developers:
https://issues.jboss.org/browse/KEYCLOAK-11818
Our problem is that users who login with mutual client-authentication via X509
certificates are still able to login if the certificates are expired or not valid yet. I
added a pull request - that is also referenced in the issue - that adds a switch that may
be used to validate the notBefore and notAfter timestamps of X509 certificates. From our
side we would say that this is actually a security issue that should be fixed very soon.
Best regards
Pascal Knüppel
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns...
11. Jahrestagung E-Akte | 06. + 07.11.2019 |
Berlin<https://jahrestagung-eakte.de/>
Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
Zukunftskongress Staat & Verwaltung |15.-17.06.2020 |
Berlin<https://www.zukunftskongress.info/de/zksv/willkommen>
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:16 a.m.
Thanks, but I'm afraid unit tests are not sufficient. We can keep the unit
tests you've added as they are nice for development purposes. However, we
need integration level tests as that checks fully how it works (what errors
for instance a client would see) and also allows us to test it in different
builds (for example a patched instance of RH-SSO if we want to backport
this fix).
Adding Sebastian as should be able to give you some pointers on what
current tests you can extend.
On Thu, 7 Nov 2019 at 17:11, Knüppel, Pascal <Pascal.Knueppel(a)governikus.de>
wrote:
added unit tests :-)
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns…
11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin
<https://jahrestagung-eakte.de/>
Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss <https://www.e-nrw.info/>
OMNISECURE | 20.-22.01.2020 |Berlin <https://www.omnisecure.berlin/de/>
Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin
<https://www.zukunftskongress.info/de/zksv/willkommen>
*Von:* Stian Thorgersen <sthorger(a)redhat.com>
*Gesendet:* Donnerstag, 7. November 2019 13:56
*An:* Knüppel, Pascal <Pascal.Knueppel(a)governikus.de>
*Cc:* keycloak-dev(a)lists.jboss.org
*Betreff:* Re: [keycloak-dev] validating client certificates on user login
Looks like a sane PR to me. Tests are missing though. If you use Time from
Keycloak as I mentioned in the PR comments you can tweak the server time in
a test to be able to test this.
On Thu, 7 Nov 2019 at 08:27, Knüppel, Pascal <
Pascal.Knueppel(a)governikus.de> wrote:
Hi I was told to send a mail to the developers mailing list regarding the
following issue to get more input from other developers:
https://issues.jboss.org/browse/KEYCLOAK-11818
Our problem is that users who login with mutual client-authentication via
X509 certificates are still able to login if the certificates are expired
or not valid yet. I added a pull request - that is also referenced in the
issue - that adds a switch that may be used to validate the notBefore and
notAfter timestamps of X509 certificates. From our side we would say that
this is actually a security issue that should be fixed very soon.
Best regards
Pascal Knüppel
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns...
11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<
https://jahrestagung-eakte.de/>
Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin<
https://www.zukunftskongress.info/de/zksv/willkommen>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1645
days inactive
1646
days old
3 comments
2 participants
participants (2)
-
Knüppel, Pascal -
Stian Thorgersen