activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Bertram <jbert...@apache.org>
Subject Re: Artemis CRL
Date Mon, 11 Dec 2017 19:34:29 GMT
Can you describe how you created the activemq-revoke.crl that's in your
example?


Justin

On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbertram@apache.org> wrote:

> The CRL logic applies to the *trust* manager.  The way your example is
> configured the CRL is specified on the broker side.  In order to make use
> of the CRL the client has to present a certificate for the broker to
> trust.  However, the acceptor in your example (and test) is not configured
> to require the client to present a certificate.  You need to add
> "needClientAuth=true" and then you should see the broker reject the
> client's cert.
>
>
> Justin
>
> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> raul.valdoleiros.oliveira@gmail.com> wrote:
>
>> The server accepts the connection of the client with the revoked
>> certificate, I think it should reject the connection.
>> I add an example of that in the commit.
>>
>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbertram@apache.org>:
>>
>> > I took a quick look over the code and it looks good to me.  What
>> > specifically isn't working?
>> >
>> >
>> > Justin
>> >
>> > On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
>> > raul.valdoleiros.oliveira@gmail.com> wrote:
>> >
>> > > Hi Justin,
>> > >
>> > > What I did is available in the commit:
>> > > https://github.com/Skiler/activemq-artemis/commit/
>> > > 2e67595c30856666eb62122906b22a3398f9de47
>> > > Definitely I did something wrong, perhaps some basic mistake. I
>> > >
>> > > Thanks in advance,
>> > > Raul
>> > >
>> > > 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbertram@apache.org>:
>> > >
>> > > > FYI - I opened ARTEMIS-1548 [1] for this.
>> > > >
>> > > >
>> > > > Justin
>> > > >
>> > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>> > > >
>> > > > On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <jbertram@apache.org
>> >
>> > > > wrote:
>> > > >
>> > > > > > I  copied the code and the certificates from activemq.
>> > > > >
>> > > > > What code and certs did you copy and where did you copy it to?
>> > > > >
>> > > > > > My guess is artemis is delegating the ssl infrastructure
in
>> Netty
>> > and
>> > > > > netty isn't supporting CRL by default. Not sure about it.
>> > > > >
>> > > > > The SSL handshake is done by Netty in Artemis.  However, the
>> > SSLContext
>> > > > > used (which includes the trust manager) is created by Artemis
>> itself
>> > in
>> > > > the
>> > > > > class I specified in my previous email.
>> > > > >
>> > > > > > I need ocsp too, i thought i could add copy both features
to
>> > artemis.
>> > > > No
>> > > > > luck until now.
>> > > > >
>> > > > > I don't think it will be too hard to implement both in Artemis.
>> I'll
>> > > > give
>> > > > > it a closer look when I get the chance.
>> > > > >
>> > > > >
>> > > > > Justin
>> > > > >
>> > > > > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
>> > > > > raul.valdoleiros.oliveira@gmail.com> wrote:
>> > > > >
>> > > > >> Hi Justin,
>> > > > >>
>> > > > >> I already try it ( i tried before send the e-mail), and didn't
>> > work. I
>> > > > >> copied the code and the certificates from activemq. My guess
is
>> > > artemis
>> > > > is
>> > > > >> delegating the ssl infrastructure in Netty and netty isn't
>> > supporting
>> > > > CRL
>> > > > >> by default. Not sure about it. I'm assuming activemq don't
use
>> > netty.
>> > > > >> I need ocsp too, i thought i could add copy both features
to
>> > artemis.
>> > > No
>> > > > >> luck until now.
>> > > > >>
>> > > > >> Thanks in advance,
>> > > > >> Raul
>> > > > >>
>> > > > >>
>> > > > >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbertram@redhat.com>
>> > > > escreveu:
>> > > > >>
>> > > > >> Artemis doesn't support CRL.  However, you should be able
to
>> adapt
>> > > > what's
>> > > > >> done in 5.x in org.apache.activemq.spring.SpringSslContext
to
>> work
>> > in
>> > > > >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
>> > > > SSLSupport.
>> > > > >> Let me know if you're moving forward with this work otherwise
>> I'll
>> > > take
>> > > > a
>> > > > >> closer look.
>> > > > >>
>> > > > >>
>> > > > >> Justin
>> > > > >>
>> > > > >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>> > > > >> raul.valdoleiros.oliveira@gmail.com> wrote:
>> > > > >>
>> > > > >> > Hi,
>> > > > >> >
>> > > > >> > Artemis support certificate revogation list? If not,
i'm
>> available
>> > > to
>> > > > >> try
>> > > > >> > implement it if you give some insights about it.
>> > > > >> >
>> > > > >> > Thanks in advance,
>> > > > >> > Raul
>> > > > >> >
>> > > > >>
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message