Forum Stats

  • 3,783,382 Users
  • 2,254,767 Discussions
  • 7,880,376 Comments

Discussions

Applet Certificate CRL Distribution Point LDAP URL with no host

Telmo Simões
Telmo Simões Member Posts: 1

Hello,

I'm developing a web application that uses applets signed with a certificate issued by the customer CA. That certificate contains an URL to a CRL Distribution Point that does not define the host and port. The certificate attributes "CRL Distribution Points" and "Authority Information Access" contain an URL similar to "ldap:///CN=my-cn...".

The log files generated by the Certificate Revocation-Checking API (C:\Users\[my_user]\AppData\LocalLow\Sun\Java\Deployment\log) indicate that the values "localhost" and "389" are being used for host and port.

...

certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=xxx, O=yyy, L=zzz, C=PT

certpath: Trying to fetch CRL from DP ldap:///CN=_my-cn_?certificateRevocationList?base?objectClass=cRLDistributionPoint

certpath: CertStore URI:ldap:///CN=_my-cn_?certificateRevocationList?base?objectClass=cRLDistributionPoint

...

network: Connecting http://localhost:389/ with proxy=DIRECT

...

certpath: LDAPCertStore.engineInit about to throw InvalidAlgorithmParameterException

javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused: connect]

  at com.sun.jndi.ldap.Connection.<init>(Unknown Source)

...

Can you confirm that the host is mandatory, otherwise the default value "localhost" is used?

I read in the LDAP RFC (http://www.ietf.org/rfc/rfc4516.txt) that if the "host" field is not present, the client must have some a priori knowledge of an appropriate LDAP server to contact. Is it possible to configure the "host" attribute?

I'm using the JRE version 1.7.0_45 (build 1.7.0_45-b18).

Best regards,

Telmo Simões

1063146
This discussion has been closed.