[jboss-jira] [JBoss JIRA] (SECURITY-838) BaseCertLoginModule does not actully check a client certificate for signing making the use of a CA not possible
Tom Fonteyne (JIRA)
issues at jboss.org
Wed Jun 4 10:40:15 EDT 2014
Tom Fonteyne created SECURITY-838:
-------------------------------------
Summary: BaseCertLoginModule does not actully check a client certificate for signing making the use of a CA not possible
Key: SECURITY-838
URL: https://issues.jboss.org/browse/SECURITY-838
Project: PicketBox
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: PicketBox
Affects Versions: PicketBox_4_0_21.Beta2
Reporter: Tom Fonteyne
Assignee: Stefan Guilhen
BaseCertLoginModule is not really checking if client certificates are valid. It only checks it the client certificate is present in the truststore and then does a binary compare.
This means that properly signed client certificates by a CA cannot be used unless they are all imported into the truststore.
A normal/standard setup would *only* have the CA certificate in the truststore and not the actual client certificates
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
More information about the jboss-jira
mailing list