Re: Artemis CRL

Hi Justin, I created a new pull request with the changes you mentioned. https://github.com/apache/activemq-artemis/pull/1715 Somehow I'm having problems amending the commits, so I create a new pr. Raul 2017-12-14 15:44 GMT+00:00 Justin Bertram : > You'd need to add instructions to both the tes

Re: Artemis CRL

You'd need to add instructions to both the test (see an example here [1]) and the example. Also, take a look at the modifications I made to your previous test submitted for the MQTT cluster issue [2]. It's preferable to have the configuration done programmatically rather than in a separate broker

Re: Artemis CRL

In this pull request ( https://github.com/apache/activemq-artemis/pull/1708 ) you have: - an example -> examples/features/standard/ssl-enabled-crl-mqtt/ - a test -> tests/integration-t

Re: Artemis CRL

Are there instructions about how to do what you did in your example or your test? Any artifacts packaged with an example or a test should be able to be easily re-created by an interested user/developer. Justin On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros < raul.valdoleiros.olive...@gmail.c

Re: Artemis CRL

Hi Justin, I created new certificates and crls, created from scratch. Thanks, Raul 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros < raul.valdoleiros.olive...@gmail.com>: > Hi Justin, > > I copied the activemq-revoke.crl from the activemq repository. I will try > to add the documentation today or t

Re: Artemis CRL

Hi Justin, I copied the activemq-revoke.crl from the activemq repository. I will try to add the documentation today or tomorrow,I've a busy day today :( Thanks, Raul 2017-12-12 3:09 GMT+00:00 Justin Bertram : > If you look at Raul's commit you'll see support for OCSP in there. Really > what's

Re: Artemis CRL

If you look at Raul's commit you'll see support for OCSP in there. Really what's left is some testing and documentation to round it out (which was why I was asking about how to generate the CRL). In any case, thanks (as always) for your input. Justin On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zb

Re: Artemis CRL

Keep in mind that CRLs are not used much because of a few reasons. One of the main ones is the heavy burden on ops/maintenance. You may want to take a look at ocsp. My $0.02, Hadrian On 12/11/2017 02:34 PM, Justin Bertram wrote: Can you describe how you created the activemq-revoke.crl that's

Re: Artemis CRL

Can you describe how you created the activemq-revoke.crl that's in your example? Justin On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram wrote: > The CRL logic applies to the *trust* manager. The way your example is > configured the CRL is specified on the broker side. In order to make use >

Re: Artemis CRL

The CRL logic applies to the *trust* manager. The way your example is configured the CRL is specified on the broker side. In order to make use of the CRL the client has to present a certificate for the broker to trust. However, the acceptor in your example (and test) is not configured to require

Re: Artemis CRL

The server accepts the connection of the client with the revoked certificate, I think it should reject the connection. I add an example of that in the commit. 2017-12-11 14:05 GMT+00:00 Justin Bertram : > I took a quick look over the code and it looks good to me. What > specifically isn't workin

Re: Artemis CRL

I took a quick look over the code and it looks good to me. What specifically isn't working? Justin On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < raul.valdoleiros.olive...@gmail.com> wrote: > Hi Justin, > > What I did is available in the commit: > https://github.com/Skiler/activemq-artemi

Re: Artemis CRL

Hi Justin, What I did is available in the commit: https://github.com/Skiler/activemq-artemis/commit/2e67595c3085eb62122906b22a3398f9de47 Definitely I did something wrong, perhaps some basic mistake. I Thanks in advance, Raul 2017-12-08 20:51 GMT+00:00 Justin Bertram : > FYI - I opened ARTEM

Re: Artemis CRL

FYI - I opened ARTEMIS-1548 [1] for this. Justin [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram wrote: > > I copied the code and the certificates from activemq. > > What code and certs did you copy and where did you copy it to? > > > My

Re: Artemis CRL

> I copied the code and the certificates from activemq. What code and certs did you copy and where did you copy it to? > My guess is artemis is delegating the ssl infrastructure in Netty and netty isn't supporting CRL by default. Not sure about it. The SSL handshake is done by Netty in Artemis.

Re: Artemis CRL

Hi Justin, I already try it ( i tried before send the e-mail), and didn't work. I copied the code and the certificates from activemq. My guess is artemis is delegating the ssl infrastructure in Netty and netty isn't supporting CRL by default. Not sure about it. I'm assuming activemq don't use nett

Re: Artemis CRL

Artemis doesn't support CRL. However, you should be able to adapt what's done in 5.x in org.apache.activemq.spring.SpringSslContext to work in Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport. Let me know if you're moving forward with this work otherwise I'll take a closer

Artemis CRL

Hi, Artemis support certificate revogation list? If not, i'm available to try implement it if you give some insights about it. Thanks in advance, Raul