The CRL logic applies to the *trust* manager. The way your example is configured the CRL is specified on the broker side. In order to make use of the CRL the client has to present a certificate for the broker to trust. However, the acceptor in your example (and test) is not configured to require the client to present a certificate. You need to add "needClientAuth=true" and then you should see the broker reject the client's cert.
Justin On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros < raul.valdoleiros.olive...@gmail.com> wrote: > The server accepts the connection of the client with the revoked > certificate, I think it should reject the connection. > I add an example of that in the commit. > > 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org>: > > > I took a quick look over the code and it looks good to me. What > > specifically isn't working? > > > > > > Justin > > > > On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < > > raul.valdoleiros.olive...@gmail.com> wrote: > > > > > Hi Justin, > > > > > > What I did is available in the commit: > > > https://github.com/Skiler/activemq-artemis/commit/ > > > 2e67595c30856666eb62122906b22a3398f9de47 > > > Definitely I did something wrong, perhaps some basic mistake. I > > > > > > Thanks in advance, > > > Raul > > > > > > 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbert...@apache.org>: > > > > > > > FYI - I opened ARTEMIS-1548 [1] for this. > > > > > > > > > > > > Justin > > > > > > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 > > > > > > > > On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <jbert...@apache.org> > > > > wrote: > > > > > > > > > > I copied the code and the certificates from activemq. > > > > > > > > > > What code and certs did you copy and where did you copy it to? > > > > > > > > > > > My guess is artemis is delegating the ssl infrastructure in Netty > > and > > > > > netty isn't supporting CRL by default. Not sure about it. > > > > > > > > > > The SSL handshake is done by Netty in Artemis. However, the > > SSLContext > > > > > used (which includes the trust manager) is created by Artemis > itself > > in > > > > the > > > > > class I specified in my previous email. > > > > > > > > > > > I need ocsp too, i thought i could add copy both features to > > artemis. > > > > No > > > > > luck until now. > > > > > > > > > > I don't think it will be too hard to implement both in Artemis. > I'll > > > > give > > > > > it a closer look when I get the chance. > > > > > > > > > > > > > > > Justin > > > > > > > > > > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros < > > > > > raul.valdoleiros.olive...@gmail.com> wrote: > > > > > > > > > >> Hi Justin, > > > > >> > > > > >> I already try it ( i tried before send the e-mail), and didn't > > work. I > > > > >> copied the code and the certificates from activemq. My guess is > > > artemis > > > > is > > > > >> delegating the ssl infrastructure in Netty and netty isn't > > supporting > > > > CRL > > > > >> by default. Not sure about it. I'm assuming activemq don't use > > netty. > > > > >> I need ocsp too, i thought i could add copy both features to > > artemis. > > > No > > > > >> luck until now. > > > > >> > > > > >> Thanks in advance, > > > > >> Raul > > > > >> > > > > >> > > > > >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbert...@redhat.com> > > > > escreveu: > > > > >> > > > > >> Artemis doesn't support CRL. However, you should be able to adapt > > > > what's > > > > >> done in 5.x in org.apache.activemq.spring.SpringSslContext to > work > > in > > > > >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl. > > > > SSLSupport. > > > > >> Let me know if you're moving forward with this work otherwise I'll > > > take > > > > a > > > > >> closer look. > > > > >> > > > > >> > > > > >> Justin > > > > >> > > > > >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros < > > > > >> raul.valdoleiros.olive...@gmail.com> wrote: > > > > >> > > > > >> > Hi, > > > > >> > > > > > >> > Artemis support certificate revogation list? If not, i'm > available > > > to > > > > >> try > > > > >> > implement it if you give some insights about it. > > > > >> > > > > > >> > Thanks in advance, > > > > >> > Raul > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > > >
