Module io.helidon.common.tls
Package io.helidon.common.tls

Interface RevocationConfig

All Superinterfaces:
Prototype.Api
All Known Implementing Classes:
RevocationConfig.BuilderBase.RevocationConfigImpl
public interface RevocationConfig extends Prototype.Api
Certificate revocation configuration. This configuration determines whether client certificate validation should include checking if it is still considered valid by the certificate authority.
Types of certificate validation checks:
  • CRL - shortcut name for Certificate Revocation List. It is a list of certificates that have been revoked by a certificate authority before their expiration date
  • OCSP - shortcut name for Online Certificate Status Protocol. It is a real-time protocol used to check the status of a certificate, providing immediate verification of its validity
See Also:

  • Method Details

    • builder

      static RevocationConfig.Builder builder()
      Create a new fluent API builder to customize configuration.
      Returns:
      a new builder

    • builder

      static RevocationConfig.Builder builder(RevocationConfig instance)
      Create a new fluent API builder from an existing instance.
      Parameters:
      instance - an existing instance used as a base for the builder
      Returns:
      a builder based on an instance

    • create

      static RevocationConfig create(Config config)
      Create a new instance from configuration.
      Parameters:
      config - used to configure the new instance
      Returns:
      a new instance configured from configuration

    • create

      static RevocationConfig create()
      Create a new instance with default values.
      Returns:
      a new instance

    • enabled

      boolean enabled()
      Flag indicating whether this revocation config is enabled.
      Returns:
      enabled flag

    • preferCrlOverOcsp

      boolean preferCrlOverOcsp()
      Prefer CRL over OCSP. Default value is false. OCSP is preferred over the CRL by default.
      Returns:
      whether to prefer CRL over OCSP

    • checkOnlyEndEntity

      boolean checkOnlyEndEntity()
      Only check the revocation status of end-entity certificates. Default value is false.
      Returns:
      whether to check only end-entity certificates

    • fallbackEnabled

      boolean fallbackEnabled()
      Enable fallback to the less preferred checking option.
      If the primary method for revocation checking fails to verify the revocation status of a certificate (such as using a CRL or OCSP), the checker will attempt alternative methods. This option ensures whether revocation checking is performed strictly according to the specified method, or should fallback to the one less preferred. OCSP is preferred over the CRL by default.
      Returns:
      whether to allow fallback to the less preferred checking option

    • softFailEnabled

      boolean softFailEnabled()
      Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons:
      • The CRL or OCSP response cannot be obtained because of a network error.
      • The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.
      Returns:
      whether soft fail is enabled

    • ocspResponderUri

      Optional<URI> ocspResponderUri()
      The URI that identifies the location of the OCSP responder. This overrides the ocsp.responderURL security property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.
      Returns:
      OCSP responder URI