I am wondering how CRL check works in the Spark/Openfire ecosystem. I forced all TLS settings in Spark and Openfire, and provided them certificates from my own CA. I also have my own CRL distribution point in which I refresh my CRL from time to time.
When I revoke Spark’s or/and Openfire’s certificate, I’m expecting to get a connection refused, but I can still connect. I found some CRL check functions in Spark, and it seems to throw an exception on my end. The exception’s message is basically the following : NullPointerException in checkRevocation : Certificate doesn't have SubjectUniqueId.
To me, this message regards my Openfire’s certificate which is in Spark’s truststore. I don’t know whether this SubjectUniqueId attribute is mandatory, but when I manually check Openfire’s certificate revocation status against my CRL with openssl, I do get a revoked status in return.
Additionally, I found some comments in Openfire’s source code such as “//TODO: re-enable CRL checking”.