You'd need to add instructions to both the test (see an example here [1]) and the example.
Also, take a look at the modifications I made to your previous test submitted for the MQTT cluster issue [2]. It's preferable to have the configuration done programmatically rather than in a separate broker.xml file. Justin [1] https://github.com/apache/activemq-artemis/blob/master/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java#L70 [1] https://github.com/apache/activemq-artemis/blob/master/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MqttClusterWildcardTest.java On Thu, Dec 14, 2017 at 9:33 AM, Raul Valdoleiros < raul.valdoleiros.olive...@gmail.com> wrote: > In this pull request ( https://github.com/apache/ > activemq-artemis/pull/1708 > ) you have: > > - an example -> examples/features/standard/ssl-enabled-crl-mqtt/ > <https://github.com/apache/activemq-artemis/pull/1708/files#diff- > 281889d37468a2ec2947c2269c302377> > - a test > -> tests/integration-tests/src/test/java/org/apache/activemq/ > artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java > > I think I need to update this file > examples/features/standard/ssl-enabled-crl-mqtt/readme.html > <https://github.com/apache/activemq-artemis/pull/1708/files#diff- > fac926e01a6ee68f346e78d126d15f5c> > > There is any other place I need to add the instructions? > > Raul > > > 2017-12-14 14:49 GMT+00:00 Justin Bertram <jbert...@apache.org>: > > > Are there instructions about how to do what you did in your example or > your > > test? Any artifacts packaged with an example or a test should be able to > > be easily re-created by an interested user/developer. > > > > > > Justin > > > > On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros < > > raul.valdoleiros.olive...@gmail.com> wrote: > > > > > Hi Justin, > > > > > > I created new certificates and crls, created from scratch. > > > > > > Thanks, > > > Raul > > > > > > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros < > > > raul.valdoleiros.olive...@gmail.com>: > > > > > > > Hi Justin, > > > > > > > > I copied the activemq-revoke.crl from the activemq repository. I will > > try > > > > to add the documentation today or tomorrow,I've a busy day today :( > > > > > > > > Thanks, > > > > Raul > > > > > > > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbert...@apache.org>: > > > > > > > >> If you look at Raul's commit you'll see support for OCSP in there. > > > Really > > > >> what's left is some testing and documentation to round it out (which > > was > > > >> why I was asking about how to generate the CRL). > > > >> > > > >> In any case, thanks (as always) for your input. > > > >> > > > >> > > > >> Justin > > > >> > > > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea < > hzbar...@gmail.com> > > > >> wrote: > > > >> > > > >> > Keep in mind that CRLs are not used much because of a few reasons. > > One > > > >> of > > > >> > the main ones is the heavy burden on ops/maintenance. You may want > > to > > > >> take > > > >> > a look at ocsp. > > > >> > > > > >> > My $0.02, > > > >> > Hadrian > > > >> > > > > >> > > > > >> > > > > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote: > > > >> > > > > >> >> Can you describe how you created the activemq-revoke.crl that's > in > > > your > > > >> >> example? > > > >> >> > > > >> >> > > > >> >> Justin > > > >> >> > > > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram < > > jbert...@apache.org > > > > > > > >> >> wrote: > > > >> >> > > > >> >> The CRL logic applies to the *trust* manager. The way your > example > > > is > > > >> >>> configured the CRL is specified on the broker side. In order to > > > make > > > >> use > > > >> >>> of the CRL the client has to present a certificate for the > broker > > to > > > >> >>> trust. However, the acceptor in your example (and test) is not > > > >> >>> configured > > > >> >>> to require the client to present a certificate. You need to add > > > >> >>> "needClientAuth=true" and then you should see the broker reject > > the > > > >> >>> client's cert. > > > >> >>> > > > >> >>> > > > >> >>> Justin > > > >> >>> > > > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros < > > > >> >>> raul.valdoleiros.olive...@gmail.com> wrote: > > > >> >>> > > > >> >>> The server accepts the connection of the client with the revoked > > > >> >>>> certificate, I think it should reject the connection. > > > >> >>>> I add an example of that in the commit. > > > >> >>>> > > > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org > >: > > > >> >>>> > > > >> >>>> I took a quick look over the code and it looks good to me. > What > > > >> >>>>> specifically isn't working? > > > >> >>>>> > > > >> >>>>> > > > >> >>>>> Justin > > > >> >>>>> > > > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < > > > >> >>>>> raul.valdoleiros.olive...@gmail.com> wrote: > > > >> >>>>> > > > >> >>>>> Hi Justin, > > > >> >>>>>> > > > >> >>>>>> What I did is available in the commit: > > > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/ > > > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47 > > > >> >>>>>> Definitely I did something wrong, perhaps some basic > mistake. I > > > >> >>>>>> > > > >> >>>>>> Thanks in advance, > > > >> >>>>>> Raul > > > >> >>>>>> > > > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram < > jbert...@apache.org > > >: > > > >> >>>>>> > > > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this. > > > >> >>>>>>> > > > >> >>>>>>> > > > >> >>>>>>> Justin > > > >> >>>>>>> > > > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 > > > >> >>>>>>> > > > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram < > > > >> jbert...@apache.org > > > >> >>>>>>> > > > >> >>>>>> > > > >> >>>>> wrote: > > > >> >>>>>>> > > > >> >>>>>>> I copied the code and the certificates from activemq. > > > >> >>>>>>>>> > > > >> >>>>>>>> > > > >> >>>>>>>> What code and certs did you copy and where did you copy it > > to? > > > >> >>>>>>>> > > > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in > > > >> >>>>>>>>> > > > >> >>>>>>>> Netty > > > >> >>>> > > > >> >>>>> and > > > >> >>>>> > > > >> >>>>>> netty isn't supporting CRL by default. Not sure about it. > > > >> >>>>>>>> > > > >> >>>>>>>> The SSL handshake is done by Netty in Artemis. However, > the > > > >> >>>>>>>> > > > >> >>>>>>> SSLContext > > > >> >>>>> > > > >> >>>>>> used (which includes the trust manager) is created by Artemis > > > >> >>>>>>>> > > > >> >>>>>>> itself > > > >> >>>> > > > >> >>>>> in > > > >> >>>>> > > > >> >>>>>> the > > > >> >>>>>>> > > > >> >>>>>>>> class I specified in my previous email. > > > >> >>>>>>>> > > > >> >>>>>>>> I need ocsp too, i thought i could add copy both features > to > > > >> >>>>>>>>> > > > >> >>>>>>>> artemis. > > > >> >>>>> > > > >> >>>>>> No > > > >> >>>>>>> > > > >> >>>>>>>> luck until now. > > > >> >>>>>>>> > > > >> >>>>>>>> I don't think it will be too hard to implement both in > > Artemis. > > > >> >>>>>>>> > > > >> >>>>>>> I'll > > > >> >>>> > > > >> >>>>> give > > > >> >>>>>>> > > > >> >>>>>>>> it a closer look when I get the chance. > > > >> >>>>>>>> > > > >> >>>>>>>> > > > >> >>>>>>>> Justin > > > >> >>>>>>>> > > > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros < > > > >> >>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > > > >> >>>>>>>> > > > >> >>>>>>>> Hi Justin, > > > >> >>>>>>>>> > > > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and > > didn't > > > >> >>>>>>>>> > > > >> >>>>>>>> work. I > > > >> >>>>> > > > >> >>>>>> copied the code and the certificates from activemq. My guess > is > > > >> >>>>>>>>> > > > >> >>>>>>>> artemis > > > >> >>>>>> > > > >> >>>>>>> is > > > >> >>>>>>> > > > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't > > > >> >>>>>>>>> > > > >> >>>>>>>> supporting > > > >> >>>>> > > > >> >>>>>> CRL > > > >> >>>>>>> > > > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't > > use > > > >> >>>>>>>>> > > > >> >>>>>>>> netty. > > > >> >>>>> > > > >> >>>>>> I need ocsp too, i thought i could add copy both features to > > > >> >>>>>>>>> > > > >> >>>>>>>> artemis. > > > >> >>>>> > > > >> >>>>>> No > > > >> >>>>>> > > > >> >>>>>>> luck until now. > > > >> >>>>>>>>> > > > >> >>>>>>>>> Thanks in advance, > > > >> >>>>>>>>> Raul > > > >> >>>>>>>>> > > > >> >>>>>>>>> > > > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" < > > > jbert...@redhat.com> > > > >> >>>>>>>>> > > > >> >>>>>>>> escreveu: > > > >> >>>>>>> > > > >> >>>>>>>> > > > >> >>>>>>>>> Artemis doesn't support CRL. However, you should be able > to > > > >> >>>>>>>>> > > > >> >>>>>>>> adapt > > > >> >>>> > > > >> >>>>> what's > > > >> >>>>>>> > > > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext > > to > > > >> >>>>>>>>> > > > >> >>>>>>>> work > > > >> >>>> > > > >> >>>>> in > > > >> >>>>> > > > >> >>>>>> Artemis in org.apache.activemq.artemis. > core.remoting.impl.ssl. > > > >> >>>>>>>>> > > > >> >>>>>>>> SSLSupport. > > > >> >>>>>>> > > > >> >>>>>>>> Let me know if you're moving forward with this work > otherwise > > > >> >>>>>>>>> > > > >> >>>>>>>> I'll > > > >> >>>> > > > >> >>>>> take > > > >> >>>>>> > > > >> >>>>>>> a > > > >> >>>>>>> > > > >> >>>>>>>> closer look. > > > >> >>>>>>>>> > > > >> >>>>>>>>> > > > >> >>>>>>>>> Justin > > > >> >>>>>>>>> > > > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros < > > > >> >>>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > > > >> >>>>>>>>> > > > >> >>>>>>>>> Hi, > > > >> >>>>>>>>>> > > > >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm > > > >> >>>>>>>>>> > > > >> >>>>>>>>> available > > > >> >>>> > > > >> >>>>> to > > > >> >>>>>> > > > >> >>>>>>> try > > > >> >>>>>>>>> > > > >> >>>>>>>>>> implement it if you give some insights about it. > > > >> >>>>>>>>>> > > > >> >>>>>>>>>> Thanks in advance, > > > >> >>>>>>>>>> Raul > > > >> >>>>>>>>>> > > > >> >>>>>>>>>> > > > >> >>>>>>>>> > > > >> >>>>>>>> > > > >> >>>>>>>> > > > >> >>>>>>> > > > >> >>>>>> > > > >> >>>>> > > > >> >>>> > > > >> >>> > > > >> >>> > > > >> >> > > > >> > > > > > > > > > > > > > >