opendev/gerrit
Code Issues Proposed changes

Use optional CRL with CLIENT_SSL_CERT_LDAP

Browse Source 
Gerrit with CLIENT_SSL_CERT_LDAP authentication uses no CRL
(certificate revocation list). This fix will allow to use an optional
CRL so that client certificates can get validated.
Documentation updated.

Bug: issue 1990
Change-Id: I70768e71186e17d49d6b0c9bf19249188dc2bfa4
This commit is contained in:
Chulho Yang
2013-07-04 02:35:53 -04:00
committed by Shawn Pearce
parent ba149cefc0
commit b72ff8fa6e
2 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
gerrit-pgm/src/main/java/com/google/gerrit/pgm/http/jetty/JettyServer.java
View File

@@ -187,6 +187,12 @@ public class JettyServer {
if (AuthType.CLIENT_SSL_CERT_LDAP.equals(authType)) {
ssl.setNeedClientAuth(true);
File crl = getFile(cfg, "sslcrl", "etc/crl.pem");
if (crl.exists()) {
ssl.setCrlPath(crl.getAbsolutePath());
ssl.setValidatePeerCerts(true);
}
}
defaultPort = 443;