activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Piotr Klimczak (JIRA)" <>
Subject [jira] [Commented] (AMQ-5008) Support for certificate revocation checking (with patch)
Date Tue, 19 Aug 2014 14:09:18 GMT


Piotr Klimczak commented on AMQ-5008:


Why there is no feedback here?
It is very important feature for "security freaks".
Patch is not perfect as it uses label jumps (technique known from such languages like BASIC
known from 1960s).
But with a little tuning and some unit test it might be very helpful.

Of course once this functionality will be done, there will be a problem of knowing that certificated
used to establish connection was compromised. So once established using not yet compromised
certificate, client app can still work as long as will not disconnect.
But this is second side of the problem.

> Support for certificate revocation checking (with patch)
> --------------------------------------------------------
>                 Key: AMQ-5008
>                 URL:
>             Project: ActiveMQ
>          Issue Type: New Feature
>          Components: Connector
>            Reporter: Michal Růžička
>            Priority: Minor
>         Attachments: CRL_checking.patch
> Currently it's possible to require client authentication during SSL/TLS handshake by
adding {{needClientAuth=true}} query string to the respective connector URI. But it is not
possible to configure revocation checking of the certificate submitted by the client.
> The attached patch adds the capability by introducing a new attribute - {{crl}} - of
the {{org.apache.activemq.spring.SpringSslContext}} class and updating the {{org.apache.activemq.spring.SpringSslContext.createTrustManagers()}}
method to make use of the value specified for the attribute in the corresponding {{<sslContext
/>}} tag as appropriate.
> The code is inspired by a similar code in jetty webserver:
> Please consider it for merging.

This message was sent by Atlassian JIRA

View raw message