activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Piotr Klimczak (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AMQ-5008) Support for certificate revocation checking (with patch)
Date Tue, 19 Aug 2014 14:11:20 GMT

    [ https://issues.apache.org/jira/browse/AMQ-5008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14102225#comment-14102225
] 

Piotr Klimczak edited comment on AMQ-5008 at 8/19/14 2:09 PM:
--------------------------------------------------------------

Hi.

Why there is no feedback here?
It is very important feature for "security freaks".
Patch needs additional work as it uses label jumps (technique known from such languages like
BASIC known from 1960s).
But with a little tuning and some unit test it might be very useful and a kind of green light
for "security freaks"- most often financial sector like banks.

Of course once this functionality will be done, there will be a problem of knowing that certificated
used to establish connection was compromised. So once established using not yet compromised
certificate, client app can still work as long as will not disconnect.
But this is second side of the problem.

Greetings
Piotr Klimczak


was (Author: nannou9):
Hi.

Why there is no feedback here?
It is very important feature for "security freaks".
Patch needs additional work as it uses label jumps (technique known from such languages like
BASIC known from 1960s).
But with a little tuning and some unit test it might be very helpful.

Of course once this functionality will be done, there will be a problem of knowing that certificated
used to establish connection was compromised. So once established using not yet compromised
certificate, client app can still work as long as will not disconnect.
But this is second side of the problem.

Greetings
Piotr Klimczak

> Support for certificate revocation checking (with patch)
> --------------------------------------------------------
>
>                 Key: AMQ-5008
>                 URL: https://issues.apache.org/jira/browse/AMQ-5008
>             Project: ActiveMQ
>          Issue Type: New Feature
>          Components: Connector
>            Reporter: Michal Růžička
>            Priority: Minor
>         Attachments: CRL_checking.patch
>
>
> Currently it's possible to require client authentication during SSL/TLS handshake by
adding {{needClientAuth=true}} query string to the respective connector URI. But it is not
possible to configure revocation checking of the certificate submitted by the client.
> The attached patch adds the capability by introducing a new attribute - {{crl}} - of
the {{org.apache.activemq.spring.SpringSslContext}} class and updating the {{org.apache.activemq.spring.SpringSslContext.createTrustManagers()}}
method to make use of the value specified for the attribute in the corresponding {{<sslContext
/>}} tag as appropriate.
> The code is inspired by a similar code in jetty webserver: https://github.com/eclipse/jetty.project/blob/release-9/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L927-L965
> Please consider it for merging.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message