activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hadrian Zbarcea <hzbar...@gmail.com>
Subject Re: Artemis CRL
Date Mon, 11 Dec 2017 21:29:22 GMT
Keep in mind that CRLs are not used much because of a few reasons. One 
of the main ones is the heavy burden on ops/maintenance. You may want to 
take a look at ocsp.

My $0.02,
Hadrian


On 12/11/2017 02:34 PM, Justin Bertram wrote:
> Can you describe how you created the activemq-revoke.crl that's in your
> example?
> 
> 
> Justin
> 
> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbertram@apache.org> wrote:
> 
>> The CRL logic applies to the *trust* manager.  The way your example is
>> configured the CRL is specified on the broker side.  In order to make use
>> of the CRL the client has to present a certificate for the broker to
>> trust.  However, the acceptor in your example (and test) is not configured
>> to require the client to present a certificate.  You need to add
>> "needClientAuth=true" and then you should see the broker reject the
>> client's cert.
>>
>>
>> Justin
>>
>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
>> raul.valdoleiros.oliveira@gmail.com> wrote:
>>
>>> The server accepts the connection of the client with the revoked
>>> certificate, I think it should reject the connection.
>>> I add an example of that in the commit.
>>>
>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbertram@apache.org>:
>>>
>>>> I took a quick look over the code and it looks good to me.  What
>>>> specifically isn't working?
>>>>
>>>>
>>>> Justin
>>>>
>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
>>>> raul.valdoleiros.oliveira@gmail.com> wrote:
>>>>
>>>>> Hi Justin,
>>>>>
>>>>> What I did is available in the commit:
>>>>> https://github.com/Skiler/activemq-artemis/commit/
>>>>> 2e67595c30856666eb62122906b22a3398f9de47
>>>>> Definitely I did something wrong, perhaps some basic mistake. I
>>>>>
>>>>> Thanks in advance,
>>>>> Raul
>>>>>
>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbertram@apache.org>:
>>>>>
>>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
>>>>>>
>>>>>>
>>>>>> Justin
>>>>>>
>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>>>>>>
>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <jbertram@apache.org
>>>>
>>>>>> wrote:
>>>>>>
>>>>>>>> I  copied the code and the certificates from activemq.
>>>>>>>
>>>>>>> What code and certs did you copy and where did you copy it to?
>>>>>>>
>>>>>>>> My guess is artemis is delegating the ssl infrastructure
in
>>> Netty
>>>> and
>>>>>>> netty isn't supporting CRL by default. Not sure about it.
>>>>>>>
>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
>>>> SSLContext
>>>>>>> used (which includes the trust manager) is created by Artemis
>>> itself
>>>> in
>>>>>> the
>>>>>>> class I specified in my previous email.
>>>>>>>
>>>>>>>> I need ocsp too, i thought i could add copy both features
to
>>>> artemis.
>>>>>> No
>>>>>>> luck until now.
>>>>>>>
>>>>>>> I don't think it will be too hard to implement both in Artemis.
>>> I'll
>>>>>> give
>>>>>>> it a closer look when I get the chance.
>>>>>>>
>>>>>>>
>>>>>>> Justin
>>>>>>>
>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
>>>>>>> raul.valdoleiros.oliveira@gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Justin,
>>>>>>>>
>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
>>>> work. I
>>>>>>>> copied the code and the certificates from activemq. My guess
is
>>>>> artemis
>>>>>> is
>>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
>>>> supporting
>>>>>> CRL
>>>>>>>> by default. Not sure about it. I'm assuming activemq don't
use
>>>> netty.
>>>>>>>> I need ocsp too, i thought i could add copy both features
to
>>>> artemis.
>>>>> No
>>>>>>>> luck until now.
>>>>>>>>
>>>>>>>> Thanks in advance,
>>>>>>>> Raul
>>>>>>>>
>>>>>>>>
>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbertram@redhat.com>
>>>>>> escreveu:
>>>>>>>>
>>>>>>>> Artemis doesn't support CRL.  However, you should be able
to
>>> adapt
>>>>>> what's
>>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext
to
>>> work
>>>> in
>>>>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
>>>>>> SSLSupport.
>>>>>>>> Let me know if you're moving forward with this work otherwise
>>> I'll
>>>>> take
>>>>>> a
>>>>>>>> closer look.
>>>>>>>>
>>>>>>>>
>>>>>>>> Justin
>>>>>>>>
>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>>>>>>>> raul.valdoleiros.oliveira@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Artemis support certificate revogation list? If not,
i'm
>>> available
>>>>> to
>>>>>>>> try
>>>>>>>>> implement it if you give some insights about it.
>>>>>>>>>
>>>>>>>>> Thanks in advance,
>>>>>>>>> Raul
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
> 

Mime
View raw message