From 3da9f69b474f333aae6aa08cee24e9ddc70f03d7 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Thu, 20 Feb 2025 17:01:26 +0100
Subject: [PATCH] Enable  certificate revocation check in
 NonBlockingSocketFactory

---
 .../org/dogtagpki/client/NonBlockingSocketFactory.java | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/base/common/src/main/java/org/dogtagpki/client/NonBlockingSocketFactory.java b/base/common/src/main/java/org/dogtagpki/client/NonBlockingSocketFactory.java
index dd59a0b6f6e..dab461e8fb2 100644
--- a/base/common/src/main/java/org/dogtagpki/client/NonBlockingSocketFactory.java
+++ b/base/common/src/main/java/org/dogtagpki/client/NonBlockingSocketFactory.java
@@ -79,18 +79,10 @@ public Socket connectSocket(Socket socket,
             KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
             KeyManager[] kms = kmf.getKeyManagers();
 
-            // Create JSSTrustManager since the default JSSNativeTrustManager
-            // does not support hostname validation and cert approval callback.
-            //
-            // JSSTrustManager currently does not support cert validation with
-            // OCSP and CRL.
-            //
-            // TODO: Fix JSSTrustManager to support OCSP and CRL, then replace
-            // DefaultSocketFactory with this class.
-
             JSSTrustManager trustManager = new JSSTrustManager();
             trustManager.setHostname(hostname);
             trustManager.setCallback(connection.getCallback());
+	    trustManager.setEnableCertRevokeVerify(true);
 
             TrustManager[] tms = new TrustManager[] { trustManager };