Configuring Certificate Revocation
Certificate Revocation in JSSE can be done through two means: certificate revocation lists (CRLs) and OCSP.
Certificate Revocation can be very useful in situations where a server’s private keys are compromised, as in the case of Heartbleed.
Certificate Revocation is disabled by default in JSSE. It is defined in two places:
To enable OCSP, you must set the following system properties on the command line:
java -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true
After doing the above, you can enable certificate revocation in the client:
ssl-config.checkRevocation = true
Setting checkRevocation will set the internal ocsp.enable security property automatically:
java.security.Security.setProperty("ocsp.enable", "true")
And this will set OCSP checking when making HTTPS requests.
Enabling OCSP requires a round trip to the OCSP responder. This adds a notable overhead on HTTPS calls, and can make calls up to 33% slower. The mitigation technique, OCSP stapling, is not supported in JSSE.
Or, if you wish to use a static CRL list, you can define a list of URLs:
ssl-config.revocationLists = [ "http://example.com/crl" ]