Are there instructions about how to do what you did in your example or your test? Any artifacts packaged with an example or a test should be able to be easily re-created by an interested user/developer.
Justin On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros < raul.valdoleiros.olive...@gmail.com> wrote: > Hi Justin, > > I created new certificates and crls, created from scratch. > > Thanks, > Raul > > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros < > raul.valdoleiros.olive...@gmail.com>: > > > Hi Justin, > > > > I copied the activemq-revoke.crl from the activemq repository. I will try > > to add the documentation today or tomorrow,I've a busy day today :( > > > > Thanks, > > Raul > > > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbert...@apache.org>: > > > >> If you look at Raul's commit you'll see support for OCSP in there. > Really > >> what's left is some testing and documentation to round it out (which was > >> why I was asking about how to generate the CRL). > >> > >> In any case, thanks (as always) for your input. > >> > >> > >> Justin > >> > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbar...@gmail.com> > >> wrote: > >> > >> > Keep in mind that CRLs are not used much because of a few reasons. One > >> of > >> > the main ones is the heavy burden on ops/maintenance. You may want to > >> take > >> > a look at ocsp. > >> > > >> > My $0.02, > >> > Hadrian > >> > > >> > > >> > > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote: > >> > > >> >> Can you describe how you created the activemq-revoke.crl that's in > your > >> >> example? > >> >> > >> >> > >> >> Justin > >> >> > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbert...@apache.org > > > >> >> wrote: > >> >> > >> >> The CRL logic applies to the *trust* manager. The way your example > is > >> >>> configured the CRL is specified on the broker side. In order to > make > >> use > >> >>> of the CRL the client has to present a certificate for the broker to > >> >>> trust. However, the acceptor in your example (and test) is not > >> >>> configured > >> >>> to require the client to present a certificate. You need to add > >> >>> "needClientAuth=true" and then you should see the broker reject the > >> >>> client's cert. > >> >>> > >> >>> > >> >>> Justin > >> >>> > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros < > >> >>> raul.valdoleiros.olive...@gmail.com> wrote: > >> >>> > >> >>> The server accepts the connection of the client with the revoked > >> >>>> certificate, I think it should reject the connection. > >> >>>> I add an example of that in the commit. > >> >>>> > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org>: > >> >>>> > >> >>>> I took a quick look over the code and it looks good to me. What > >> >>>>> specifically isn't working? > >> >>>>> > >> >>>>> > >> >>>>> Justin > >> >>>>> > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < > >> >>>>> raul.valdoleiros.olive...@gmail.com> wrote: > >> >>>>> > >> >>>>> Hi Justin, > >> >>>>>> > >> >>>>>> What I did is available in the commit: > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/ > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47 > >> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I > >> >>>>>> > >> >>>>>> Thanks in advance, > >> >>>>>> Raul > >> >>>>>> > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbert...@apache.org>: > >> >>>>>> > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this. > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> Justin > >> >>>>>>> > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 > >> >>>>>>> > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram < > >> jbert...@apache.org > >> >>>>>>> > >> >>>>>> > >> >>>>> wrote: > >> >>>>>>> > >> >>>>>>> I copied the code and the certificates from activemq. > >> >>>>>>>>> > >> >>>>>>>> > >> >>>>>>>> What code and certs did you copy and where did you copy it to? > >> >>>>>>>> > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in > >> >>>>>>>>> > >> >>>>>>>> Netty > >> >>>> > >> >>>>> and > >> >>>>> > >> >>>>>> netty isn't supporting CRL by default. Not sure about it. > >> >>>>>>>> > >> >>>>>>>> The SSL handshake is done by Netty in Artemis. However, the > >> >>>>>>>> > >> >>>>>>> SSLContext > >> >>>>> > >> >>>>>> used (which includes the trust manager) is created by Artemis > >> >>>>>>>> > >> >>>>>>> itself > >> >>>> > >> >>>>> in > >> >>>>> > >> >>>>>> the > >> >>>>>>> > >> >>>>>>>> class I specified in my previous email. > >> >>>>>>>> > >> >>>>>>>> I need ocsp too, i thought i could add copy both features to > >> >>>>>>>>> > >> >>>>>>>> artemis. > >> >>>>> > >> >>>>>> No > >> >>>>>>> > >> >>>>>>>> luck until now. > >> >>>>>>>> > >> >>>>>>>> I don't think it will be too hard to implement both in Artemis. > >> >>>>>>>> > >> >>>>>>> I'll > >> >>>> > >> >>>>> give > >> >>>>>>> > >> >>>>>>>> it a closer look when I get the chance. > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> Justin > >> >>>>>>>> > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros < > >> >>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > >> >>>>>>>> > >> >>>>>>>> Hi Justin, > >> >>>>>>>>> > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't > >> >>>>>>>>> > >> >>>>>>>> work. I > >> >>>>> > >> >>>>>> copied the code and the certificates from activemq. My guess is > >> >>>>>>>>> > >> >>>>>>>> artemis > >> >>>>>> > >> >>>>>>> is > >> >>>>>>> > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't > >> >>>>>>>>> > >> >>>>>>>> supporting > >> >>>>> > >> >>>>>> CRL > >> >>>>>>> > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use > >> >>>>>>>>> > >> >>>>>>>> netty. > >> >>>>> > >> >>>>>> I need ocsp too, i thought i could add copy both features to > >> >>>>>>>>> > >> >>>>>>>> artemis. > >> >>>>> > >> >>>>>> No > >> >>>>>> > >> >>>>>>> luck until now. > >> >>>>>>>>> > >> >>>>>>>>> Thanks in advance, > >> >>>>>>>>> Raul > >> >>>>>>>>> > >> >>>>>>>>> > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" < > jbert...@redhat.com> > >> >>>>>>>>> > >> >>>>>>>> escreveu: > >> >>>>>>> > >> >>>>>>>> > >> >>>>>>>>> Artemis doesn't support CRL. However, you should be able to > >> >>>>>>>>> > >> >>>>>>>> adapt > >> >>>> > >> >>>>> what's > >> >>>>>>> > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to > >> >>>>>>>>> > >> >>>>>>>> work > >> >>>> > >> >>>>> in > >> >>>>> > >> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl. > >> >>>>>>>>> > >> >>>>>>>> SSLSupport. > >> >>>>>>> > >> >>>>>>>> Let me know if you're moving forward with this work otherwise > >> >>>>>>>>> > >> >>>>>>>> I'll > >> >>>> > >> >>>>> take > >> >>>>>> > >> >>>>>>> a > >> >>>>>>> > >> >>>>>>>> closer look. > >> >>>>>>>>> > >> >>>>>>>>> > >> >>>>>>>>> Justin > >> >>>>>>>>> > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros < > >> >>>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > >> >>>>>>>>> > >> >>>>>>>>> Hi, > >> >>>>>>>>>> > >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm > >> >>>>>>>>>> > >> >>>>>>>>> available > >> >>>> > >> >>>>> to > >> >>>>>> > >> >>>>>>> try > >> >>>>>>>>> > >> >>>>>>>>>> implement it if you give some insights about it. > >> >>>>>>>>>> > >> >>>>>>>>>> Thanks in advance, > >> >>>>>>>>>> Raul > >> >>>>>>>>>> > >> >>>>>>>>>> > >> >>>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>> > >> >>>>>> > >> >>>>> > >> >>>> > >> >>> > >> >>> > >> >> > >> > > > > >