If you look at Raul's commit you'll see support for OCSP in there. Really what's left is some testing and documentation to round it out (which was why I was asking about how to generate the CRL).
In any case, thanks (as always) for your input. Justin On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbar...@gmail.com> wrote: > Keep in mind that CRLs are not used much because of a few reasons. One of > the main ones is the heavy burden on ops/maintenance. You may want to take > a look at ocsp. > > My $0.02, > Hadrian > > > > On 12/11/2017 02:34 PM, Justin Bertram wrote: > >> Can you describe how you created the activemq-revoke.crl that's in your >> example? >> >> >> Justin >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbert...@apache.org> >> wrote: >> >> The CRL logic applies to the *trust* manager. The way your example is >>> configured the CRL is specified on the broker side. In order to make use >>> of the CRL the client has to present a certificate for the broker to >>> trust. However, the acceptor in your example (and test) is not >>> configured >>> to require the client to present a certificate. You need to add >>> "needClientAuth=true" and then you should see the broker reject the >>> client's cert. >>> >>> >>> Justin >>> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros < >>> raul.valdoleiros.olive...@gmail.com> wrote: >>> >>> The server accepts the connection of the client with the revoked >>>> certificate, I think it should reject the connection. >>>> I add an example of that in the commit. >>>> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org>: >>>> >>>> I took a quick look over the code and it looks good to me. What >>>>> specifically isn't working? >>>>> >>>>> >>>>> Justin >>>>> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < >>>>> raul.valdoleiros.olive...@gmail.com> wrote: >>>>> >>>>> Hi Justin, >>>>>> >>>>>> What I did is available in the commit: >>>>>> https://github.com/Skiler/activemq-artemis/commit/ >>>>>> 2e67595c30856666eb62122906b22a3398f9de47 >>>>>> Definitely I did something wrong, perhaps some basic mistake. I >>>>>> >>>>>> Thanks in advance, >>>>>> Raul >>>>>> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbert...@apache.org>: >>>>>> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this. >>>>>>> >>>>>>> >>>>>>> Justin >>>>>>> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 >>>>>>> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <jbert...@apache.org >>>>>>> >>>>>> >>>>> wrote: >>>>>>> >>>>>>> I copied the code and the certificates from activemq. >>>>>>>>> >>>>>>>> >>>>>>>> What code and certs did you copy and where did you copy it to? >>>>>>>> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in >>>>>>>>> >>>>>>>> Netty >>>> >>>>> and >>>>> >>>>>> netty isn't supporting CRL by default. Not sure about it. >>>>>>>> >>>>>>>> The SSL handshake is done by Netty in Artemis. However, the >>>>>>>> >>>>>>> SSLContext >>>>> >>>>>> used (which includes the trust manager) is created by Artemis >>>>>>>> >>>>>>> itself >>>> >>>>> in >>>>> >>>>>> the >>>>>>> >>>>>>>> class I specified in my previous email. >>>>>>>> >>>>>>>> I need ocsp too, i thought i could add copy both features to >>>>>>>>> >>>>>>>> artemis. >>>>> >>>>>> No >>>>>>> >>>>>>>> luck until now. >>>>>>>> >>>>>>>> I don't think it will be too hard to implement both in Artemis. >>>>>>>> >>>>>>> I'll >>>> >>>>> give >>>>>>> >>>>>>>> it a closer look when I get the chance. >>>>>>>> >>>>>>>> >>>>>>>> Justin >>>>>>>> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros < >>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi Justin, >>>>>>>>> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't >>>>>>>>> >>>>>>>> work. I >>>>> >>>>>> copied the code and the certificates from activemq. My guess is >>>>>>>>> >>>>>>>> artemis >>>>>> >>>>>>> is >>>>>>> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't >>>>>>>>> >>>>>>>> supporting >>>>> >>>>>> CRL >>>>>>> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use >>>>>>>>> >>>>>>>> netty. >>>>> >>>>>> I need ocsp too, i thought i could add copy both features to >>>>>>>>> >>>>>>>> artemis. >>>>> >>>>>> No >>>>>> >>>>>>> luck until now. >>>>>>>>> >>>>>>>>> Thanks in advance, >>>>>>>>> Raul >>>>>>>>> >>>>>>>>> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbert...@redhat.com> >>>>>>>>> >>>>>>>> escreveu: >>>>>>> >>>>>>>> >>>>>>>>> Artemis doesn't support CRL. However, you should be able to >>>>>>>>> >>>>>>>> adapt >>>> >>>>> what's >>>>>>> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to >>>>>>>>> >>>>>>>> work >>>> >>>>> in >>>>> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl. >>>>>>>>> >>>>>>>> SSLSupport. >>>>>>> >>>>>>>> Let me know if you're moving forward with this work otherwise >>>>>>>>> >>>>>>>> I'll >>>> >>>>> take >>>>>> >>>>>>> a >>>>>>> >>>>>>>> closer look. >>>>>>>>> >>>>>>>>> >>>>>>>>> Justin >>>>>>>>> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros < >>>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm >>>>>>>>>> >>>>>>>>> available >>>> >>>>> to >>>>>> >>>>>>> try >>>>>>>>> >>>>>>>>>> implement it if you give some insights about it. >>>>>>>>>> >>>>>>>>>> Thanks in advance, >>>>>>>>>> Raul >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> >>