Keep in mind that CRLs are not used much because of a few reasons. One
of the main ones is the heavy burden on ops/maintenance. You may want to
take a look at ocsp.
My $0.02,
Hadrian
On 12/11/2017 02:34 PM, Justin Bertram wrote:
Can you describe how you created the activemq-revoke.crl that's in your
example?
Justin
On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbert...@apache.org> wrote:
The CRL logic applies to the *trust* manager. The way your example is
configured the CRL is specified on the broker side. In order to make use
of the CRL the client has to present a certificate for the broker to
trust. However, the acceptor in your example (and test) is not configured
to require the client to present a certificate. You need to add
"needClientAuth=true" and then you should see the broker reject the
client's cert.
Justin
On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
raul.valdoleiros.olive...@gmail.com> wrote:
The server accepts the connection of the client with the revoked
certificate, I think it should reject the connection.
I add an example of that in the commit.
2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org>:
I took a quick look over the code and it looks good to me. What
specifically isn't working?
Justin
On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
raul.valdoleiros.olive...@gmail.com> wrote:
Hi Justin,
What I did is available in the commit:
https://github.com/Skiler/activemq-artemis/commit/
2e67595c30856666eb62122906b22a3398f9de47
Definitely I did something wrong, perhaps some basic mistake. I
Thanks in advance,
Raul
2017-12-08 20:51 GMT+00:00 Justin Bertram <jbert...@apache.org>:
FYI - I opened ARTEMIS-1548 [1] for this.
Justin
[1] https://issues.apache.org/jira/browse/ARTEMIS-1548
On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <jbert...@apache.org
wrote:
I copied the code and the certificates from activemq.
What code and certs did you copy and where did you copy it to?
My guess is artemis is delegating the ssl infrastructure in
Netty
and
netty isn't supporting CRL by default. Not sure about it.
The SSL handshake is done by Netty in Artemis. However, the
SSLContext
used (which includes the trust manager) is created by Artemis
itself
in
the
class I specified in my previous email.
I need ocsp too, i thought i could add copy both features to
artemis.
No
luck until now.
I don't think it will be too hard to implement both in Artemis.
I'll
give
it a closer look when I get the chance.
Justin
On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
raul.valdoleiros.olive...@gmail.com> wrote:
Hi Justin,
I already try it ( i tried before send the e-mail), and didn't
work. I
copied the code and the certificates from activemq. My guess is
artemis
is
delegating the ssl infrastructure in Netty and netty isn't
supporting
CRL
by default. Not sure about it. I'm assuming activemq don't use
netty.
I need ocsp too, i thought i could add copy both features to
artemis.
No
luck until now.
Thanks in advance,
Raul
Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbert...@redhat.com>
escreveu:
Artemis doesn't support CRL. However, you should be able to
adapt
what's
done in 5.x in org.apache.activemq.spring.SpringSslContext to
work
in
Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
SSLSupport.
Let me know if you're moving forward with this work otherwise
I'll
take
a
closer look.
Justin
On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
raul.valdoleiros.olive...@gmail.com> wrote:
Hi,
Artemis support certificate revogation list? If not, i'm
available
to
try
implement it if you give some insights about it.
Thanks in advance,
Raul
