Issue 1990: Use optional CRL with CLIENT_SSL_CERT_LDAP
Status:  Released
Owner: ----
Closed:  Aug 2013
Reported by mrchul...@gmail.com, Jul 3, 2013
Gerrit with CLIENT_SSL_CERT_LDAP authentication uses no CRL (certificate revocation list).

Fixing gerrit-pgm/com.google.gerrit.pgm.http.jetty.JettyServer will allow to use an optional CRL.

Current code:
        if (AuthType.CLIENT_SSL_CERT_LDAP.equals(authType)) {
          ssl.setNeedClientAuth(true);
        }

New code:
        if (AuthType.CLIENT_SSL_CERT_LDAP.equals(authType)) {
          ssl.setNeedClientAuth(true);
          // Use optional crl
          //
          final File crl = getFile(cfg, "sslcrl", "etc/crl.pem");
          if (crl.exists()) {
            ssl.setCrlPath(crl.getAbsolutePath());
            ssl.setValidatePeerCerts(true);
          }
        }

Jul 3, 2013
#1 dborowitz@google.com
Thanks for the suggested fix. Please submit this patch via gerrit-review.googlesource.com following these instructions:
https://gerrit-review.googlesource.com/Documentation/dev-contributing.html
Aug 18, 2013
#3 sop@google.com
(No comment was entered for this change.)
Status: Submitted
Labels: FixedIn-2.8
Dec 9, 2013
Project Member #4 david.pu...@sonymobile.com
(No comment was entered for this change.)
Status: Released