[jboss-jira] [JBoss JIRA] (SECURITY-838) BaseCertLoginModule does not actually check a client certificate for signing making the use of a CA not possible
Tom Fonteyne (JIRA)
issues at jboss.org
Wed Jun 4 10:56:16 EDT 2014
[ https://issues.jboss.org/browse/SECURITY-838?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tom Fonteyne updated SECURITY-838:
----------------------------------
Summary: BaseCertLoginModule does not actually check a client certificate for signing making the use of a CA not possible (was: BaseCertLoginModule does not actully check a client certificate for signing making the use of a CA not possible)
> BaseCertLoginModule does not actually check a client certificate for signing making the use of a CA not possible
> ----------------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-838
> URL: https://issues.jboss.org/browse/SECURITY-838
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: PicketBox
> Affects Versions: PicketBox_4_0_21.Beta2
> Reporter: Tom Fonteyne
> Assignee: Stefan Guilhen
>
> BaseCertLoginModule is not really checking if client certificates are valid. It only checks it the client certificate is present in the truststore and then does a binary compare.
> This means that properly signed client certificates by a CA cannot be used unless they are all imported into the truststore.
> A normal/standard setup would *only* have the CA certificate in the truststore and not the actual client certificates
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
More information about the jboss-jira
mailing list