Artemis CRL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Artemis CRL

Raul Valdoleiros
Hi,

Artemis support certificate revogation list? If not, i'm available to try
implement it if you give some insights about it.

Thanks in advance,
Raul
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Justin Bertram
Artemis doesn't support CRL.  However, you should be able to adapt what's
done in 5.x in org.apache.activemq.spring.SpringSslContext to work in
Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.
Let me know if you're moving forward with this work otherwise I'll take a
closer look.


Justin

On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
[hidden email]> wrote:

> Hi,
>
> Artemis support certificate revogation list? If not, i'm available to try
> implement it if you give some insights about it.
>
> Thanks in advance,
> Raul
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Raul Valdoleiros
Hi Justin,

I already try it ( i tried before send the e-mail), and didn't work. I
copied the code and the certificates from activemq. My guess is artemis is
delegating the ssl infrastructure in Netty and netty isn't supporting CRL
by default. Not sure about it. I'm assuming activemq don't use netty.
I need ocsp too, i thought i could add copy both features to artemis. No
luck until now.

Thanks in advance,
Raul


Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]> escreveu:

Artemis doesn't support CRL.  However, you should be able to adapt what's
done in 5.x in org.apache.activemq.spring.SpringSslContext to work in
Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.
Let me know if you're moving forward with this work otherwise I'll take a
closer look.


Justin

On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
[hidden email]> wrote:

> Hi,
>
> Artemis support certificate revogation list? If not, i'm available to try
> implement it if you give some insights about it.
>
> Thanks in advance,
> Raul
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
> I  copied the code and the certificates from activemq.

What code and certs did you copy and where did you copy it to?

> My guess is artemis is delegating the ssl infrastructure in Netty and
netty isn't supporting CRL by default. Not sure about it.

The SSL handshake is done by Netty in Artemis.  However, the SSLContext
used (which includes the trust manager) is created by Artemis itself in the
class I specified in my previous email.

> I need ocsp too, i thought i could add copy both features to artemis. No
luck until now.

I don't think it will be too hard to implement both in Artemis.  I'll give
it a closer look when I get the chance.


Justin

On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
[hidden email]> wrote:

> Hi Justin,
>
> I already try it ( i tried before send the e-mail), and didn't work. I
> copied the code and the certificates from activemq. My guess is artemis is
> delegating the ssl infrastructure in Netty and netty isn't supporting CRL
> by default. Not sure about it. I'm assuming activemq don't use netty.
> I need ocsp too, i thought i could add copy both features to artemis. No
> luck until now.
>
> Thanks in advance,
> Raul
>
>
> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]> escreveu:
>
> Artemis doesn't support CRL.  However, you should be able to adapt what's
> done in 5.x in org.apache.activemq.spring.SpringSslContext to work in
> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.
> Let me know if you're moving forward with this work otherwise I'll take a
> closer look.
>
>
> Justin
>
> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> [hidden email]> wrote:
>
> > Hi,
> >
> > Artemis support certificate revogation list? If not, i'm available to try
> > implement it if you give some insights about it.
> >
> > Thanks in advance,
> > Raul
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
FYI - I opened ARTEMIS-1548 [1] for this.


Justin

[1] https://issues.apache.org/jira/browse/ARTEMIS-1548

On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]> wrote:

> > I  copied the code and the certificates from activemq.
>
> What code and certs did you copy and where did you copy it to?
>
> > My guess is artemis is delegating the ssl infrastructure in Netty and
> netty isn't supporting CRL by default. Not sure about it.
>
> The SSL handshake is done by Netty in Artemis.  However, the SSLContext
> used (which includes the trust manager) is created by Artemis itself in the
> class I specified in my previous email.
>
> > I need ocsp too, i thought i could add copy both features to artemis. No
> luck until now.
>
> I don't think it will be too hard to implement both in Artemis.  I'll give
> it a closer look when I get the chance.
>
>
> Justin
>
> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> [hidden email]> wrote:
>
>> Hi Justin,
>>
>> I already try it ( i tried before send the e-mail), and didn't work. I
>> copied the code and the certificates from activemq. My guess is artemis is
>> delegating the ssl infrastructure in Netty and netty isn't supporting CRL
>> by default. Not sure about it. I'm assuming activemq don't use netty.
>> I need ocsp too, i thought i could add copy both features to artemis. No
>> luck until now.
>>
>> Thanks in advance,
>> Raul
>>
>>
>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]> escreveu:
>>
>> Artemis doesn't support CRL.  However, you should be able to adapt what's
>> done in 5.x in org.apache.activemq.spring.SpringSslContext to work in
>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.
>> Let me know if you're moving forward with this work otherwise I'll take a
>> closer look.
>>
>>
>> Justin
>>
>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>> [hidden email]> wrote:
>>
>> > Hi,
>> >
>> > Artemis support certificate revogation list? If not, i'm available to
>> try
>> > implement it if you give some insights about it.
>> >
>> > Thanks in advance,
>> > Raul
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Raul Valdoleiros
Hi Justin,

What I did is available in the commit:
https://github.com/Skiler/activemq-artemis/commit/2e67595c30856666eb62122906b22a3398f9de47
Definitely I did something wrong, perhaps some basic mistake. I

Thanks in advance,
Raul

2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:

> FYI - I opened ARTEMIS-1548 [1] for this.
>
>
> Justin
>
> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>
> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]>
> wrote:
>
> > > I  copied the code and the certificates from activemq.
> >
> > What code and certs did you copy and where did you copy it to?
> >
> > > My guess is artemis is delegating the ssl infrastructure in Netty and
> > netty isn't supporting CRL by default. Not sure about it.
> >
> > The SSL handshake is done by Netty in Artemis.  However, the SSLContext
> > used (which includes the trust manager) is created by Artemis itself in
> the
> > class I specified in my previous email.
> >
> > > I need ocsp too, i thought i could add copy both features to artemis.
> No
> > luck until now.
> >
> > I don't think it will be too hard to implement both in Artemis.  I'll
> give
> > it a closer look when I get the chance.
> >
> >
> > Justin
> >
> > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > [hidden email]> wrote:
> >
> >> Hi Justin,
> >>
> >> I already try it ( i tried before send the e-mail), and didn't work. I
> >> copied the code and the certificates from activemq. My guess is artemis
> is
> >> delegating the ssl infrastructure in Netty and netty isn't supporting
> CRL
> >> by default. Not sure about it. I'm assuming activemq don't use netty.
> >> I need ocsp too, i thought i could add copy both features to artemis. No
> >> luck until now.
> >>
> >> Thanks in advance,
> >> Raul
> >>
> >>
> >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
> escreveu:
> >>
> >> Artemis doesn't support CRL.  However, you should be able to adapt
> what's
> >> done in 5.x in org.apache.activemq.spring.SpringSslContext to work in
> >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> SSLSupport.
> >> Let me know if you're moving forward with this work otherwise I'll take
> a
> >> closer look.
> >>
> >>
> >> Justin
> >>
> >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> >> [hidden email]> wrote:
> >>
> >> > Hi,
> >> >
> >> > Artemis support certificate revogation list? If not, i'm available to
> >> try
> >> > implement it if you give some insights about it.
> >> >
> >> > Thanks in advance,
> >> > Raul
> >> >
> >>
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
I took a quick look over the code and it looks good to me.  What
specifically isn't working?


Justin

On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
[hidden email]> wrote:

> Hi Justin,
>
> What I did is available in the commit:
> https://github.com/Skiler/activemq-artemis/commit/
> 2e67595c30856666eb62122906b22a3398f9de47
> Definitely I did something wrong, perhaps some basic mistake. I
>
> Thanks in advance,
> Raul
>
> 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
>
> > FYI - I opened ARTEMIS-1548 [1] for this.
> >
> >
> > Justin
> >
> > [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> >
> > On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]>
> > wrote:
> >
> > > > I  copied the code and the certificates from activemq.
> > >
> > > What code and certs did you copy and where did you copy it to?
> > >
> > > > My guess is artemis is delegating the ssl infrastructure in Netty and
> > > netty isn't supporting CRL by default. Not sure about it.
> > >
> > > The SSL handshake is done by Netty in Artemis.  However, the SSLContext
> > > used (which includes the trust manager) is created by Artemis itself in
> > the
> > > class I specified in my previous email.
> > >
> > > > I need ocsp too, i thought i could add copy both features to artemis.
> > No
> > > luck until now.
> > >
> > > I don't think it will be too hard to implement both in Artemis.  I'll
> > give
> > > it a closer look when I get the chance.
> > >
> > >
> > > Justin
> > >
> > > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > > [hidden email]> wrote:
> > >
> > >> Hi Justin,
> > >>
> > >> I already try it ( i tried before send the e-mail), and didn't work. I
> > >> copied the code and the certificates from activemq. My guess is
> artemis
> > is
> > >> delegating the ssl infrastructure in Netty and netty isn't supporting
> > CRL
> > >> by default. Not sure about it. I'm assuming activemq don't use netty.
> > >> I need ocsp too, i thought i could add copy both features to artemis.
> No
> > >> luck until now.
> > >>
> > >> Thanks in advance,
> > >> Raul
> > >>
> > >>
> > >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
> > escreveu:
> > >>
> > >> Artemis doesn't support CRL.  However, you should be able to adapt
> > what's
> > >> done in 5.x in org.apache.activemq.spring.SpringSslContext to work in
> > >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> > SSLSupport.
> > >> Let me know if you're moving forward with this work otherwise I'll
> take
> > a
> > >> closer look.
> > >>
> > >>
> > >> Justin
> > >>
> > >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > >> [hidden email]> wrote:
> > >>
> > >> > Hi,
> > >> >
> > >> > Artemis support certificate revogation list? If not, i'm available
> to
> > >> try
> > >> > implement it if you give some insights about it.
> > >> >
> > >> > Thanks in advance,
> > >> > Raul
> > >> >
> > >>
> > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Raul Valdoleiros
The server accepts the connection of the client with the revoked
certificate, I think it should reject the connection.
I add an example of that in the commit.

2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:

> I took a quick look over the code and it looks good to me.  What
> specifically isn't working?
>
>
> Justin
>
> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> [hidden email]> wrote:
>
> > Hi Justin,
> >
> > What I did is available in the commit:
> > https://github.com/Skiler/activemq-artemis/commit/
> > 2e67595c30856666eb62122906b22a3398f9de47
> > Definitely I did something wrong, perhaps some basic mistake. I
> >
> > Thanks in advance,
> > Raul
> >
> > 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
> >
> > > FYI - I opened ARTEMIS-1548 [1] for this.
> > >
> > >
> > > Justin
> > >
> > > [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > >
> > > On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]>
> > > wrote:
> > >
> > > > > I  copied the code and the certificates from activemq.
> > > >
> > > > What code and certs did you copy and where did you copy it to?
> > > >
> > > > > My guess is artemis is delegating the ssl infrastructure in Netty
> and
> > > > netty isn't supporting CRL by default. Not sure about it.
> > > >
> > > > The SSL handshake is done by Netty in Artemis.  However, the
> SSLContext
> > > > used (which includes the trust manager) is created by Artemis itself
> in
> > > the
> > > > class I specified in my previous email.
> > > >
> > > > > I need ocsp too, i thought i could add copy both features to
> artemis.
> > > No
> > > > luck until now.
> > > >
> > > > I don't think it will be too hard to implement both in Artemis.  I'll
> > > give
> > > > it a closer look when I get the chance.
> > > >
> > > >
> > > > Justin
> > > >
> > > > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > > > [hidden email]> wrote:
> > > >
> > > >> Hi Justin,
> > > >>
> > > >> I already try it ( i tried before send the e-mail), and didn't
> work. I
> > > >> copied the code and the certificates from activemq. My guess is
> > artemis
> > > is
> > > >> delegating the ssl infrastructure in Netty and netty isn't
> supporting
> > > CRL
> > > >> by default. Not sure about it. I'm assuming activemq don't use
> netty.
> > > >> I need ocsp too, i thought i could add copy both features to
> artemis.
> > No
> > > >> luck until now.
> > > >>
> > > >> Thanks in advance,
> > > >> Raul
> > > >>
> > > >>
> > > >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
> > > escreveu:
> > > >>
> > > >> Artemis doesn't support CRL.  However, you should be able to adapt
> > > what's
> > > >> done in 5.x in org.apache.activemq.spring.SpringSslContext to work
> in
> > > >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> > > SSLSupport.
> > > >> Let me know if you're moving forward with this work otherwise I'll
> > take
> > > a
> > > >> closer look.
> > > >>
> > > >>
> > > >> Justin
> > > >>
> > > >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > > >> [hidden email]> wrote:
> > > >>
> > > >> > Hi,
> > > >> >
> > > >> > Artemis support certificate revogation list? If not, i'm available
> > to
> > > >> try
> > > >> > implement it if you give some insights about it.
> > > >> >
> > > >> > Thanks in advance,
> > > >> > Raul
> > > >> >
> > > >>
> > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
The CRL logic applies to the *trust* manager.  The way your example is
configured the CRL is specified on the broker side.  In order to make use
of the CRL the client has to present a certificate for the broker to
trust.  However, the acceptor in your example (and test) is not configured
to require the client to present a certificate.  You need to add
"needClientAuth=true" and then you should see the broker reject the
client's cert.


Justin

On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
[hidden email]> wrote:

> The server accepts the connection of the client with the revoked
> certificate, I think it should reject the connection.
> I add an example of that in the commit.
>
> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
>
> > I took a quick look over the code and it looks good to me.  What
> > specifically isn't working?
> >
> >
> > Justin
> >
> > On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> > [hidden email]> wrote:
> >
> > > Hi Justin,
> > >
> > > What I did is available in the commit:
> > > https://github.com/Skiler/activemq-artemis/commit/
> > > 2e67595c30856666eb62122906b22a3398f9de47
> > > Definitely I did something wrong, perhaps some basic mistake. I
> > >
> > > Thanks in advance,
> > > Raul
> > >
> > > 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
> > >
> > > > FYI - I opened ARTEMIS-1548 [1] for this.
> > > >
> > > >
> > > > Justin
> > > >
> > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > > >
> > > > On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]>
> > > > wrote:
> > > >
> > > > > > I  copied the code and the certificates from activemq.
> > > > >
> > > > > What code and certs did you copy and where did you copy it to?
> > > > >
> > > > > > My guess is artemis is delegating the ssl infrastructure in Netty
> > and
> > > > > netty isn't supporting CRL by default. Not sure about it.
> > > > >
> > > > > The SSL handshake is done by Netty in Artemis.  However, the
> > SSLContext
> > > > > used (which includes the trust manager) is created by Artemis
> itself
> > in
> > > > the
> > > > > class I specified in my previous email.
> > > > >
> > > > > > I need ocsp too, i thought i could add copy both features to
> > artemis.
> > > > No
> > > > > luck until now.
> > > > >
> > > > > I don't think it will be too hard to implement both in Artemis.
> I'll
> > > > give
> > > > > it a closer look when I get the chance.
> > > > >
> > > > >
> > > > > Justin
> > > > >
> > > > > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > > > > [hidden email]> wrote:
> > > > >
> > > > >> Hi Justin,
> > > > >>
> > > > >> I already try it ( i tried before send the e-mail), and didn't
> > work. I
> > > > >> copied the code and the certificates from activemq. My guess is
> > > artemis
> > > > is
> > > > >> delegating the ssl infrastructure in Netty and netty isn't
> > supporting
> > > > CRL
> > > > >> by default. Not sure about it. I'm assuming activemq don't use
> > netty.
> > > > >> I need ocsp too, i thought i could add copy both features to
> > artemis.
> > > No
> > > > >> luck until now.
> > > > >>
> > > > >> Thanks in advance,
> > > > >> Raul
> > > > >>
> > > > >>
> > > > >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
> > > > escreveu:
> > > > >>
> > > > >> Artemis doesn't support CRL.  However, you should be able to adapt
> > > > what's
> > > > >> done in 5.x in org.apache.activemq.spring.SpringSslContext to
> work
> > in
> > > > >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> > > > SSLSupport.
> > > > >> Let me know if you're moving forward with this work otherwise I'll
> > > take
> > > > a
> > > > >> closer look.
> > > > >>
> > > > >>
> > > > >> Justin
> > > > >>
> > > > >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > > > >> [hidden email]> wrote:
> > > > >>
> > > > >> > Hi,
> > > > >> >
> > > > >> > Artemis support certificate revogation list? If not, i'm
> available
> > > to
> > > > >> try
> > > > >> > implement it if you give some insights about it.
> > > > >> >
> > > > >> > Thanks in advance,
> > > > >> > Raul
> > > > >> >
> > > > >>
> > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
Can you describe how you created the activemq-revoke.crl that's in your
example?


Justin

On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <[hidden email]> wrote:

> The CRL logic applies to the *trust* manager.  The way your example is
> configured the CRL is specified on the broker side.  In order to make use
> of the CRL the client has to present a certificate for the broker to
> trust.  However, the acceptor in your example (and test) is not configured
> to require the client to present a certificate.  You need to add
> "needClientAuth=true" and then you should see the broker reject the
> client's cert.
>
>
> Justin
>
> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> [hidden email]> wrote:
>
>> The server accepts the connection of the client with the revoked
>> certificate, I think it should reject the connection.
>> I add an example of that in the commit.
>>
>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
>>
>> > I took a quick look over the code and it looks good to me.  What
>> > specifically isn't working?
>> >
>> >
>> > Justin
>> >
>> > On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
>> > [hidden email]> wrote:
>> >
>> > > Hi Justin,
>> > >
>> > > What I did is available in the commit:
>> > > https://github.com/Skiler/activemq-artemis/commit/
>> > > 2e67595c30856666eb62122906b22a3398f9de47
>> > > Definitely I did something wrong, perhaps some basic mistake. I
>> > >
>> > > Thanks in advance,
>> > > Raul
>> > >
>> > > 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
>> > >
>> > > > FYI - I opened ARTEMIS-1548 [1] for this.
>> > > >
>> > > >
>> > > > Justin
>> > > >
>> > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>> > > >
>> > > > On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]
>> >
>> > > > wrote:
>> > > >
>> > > > > > I  copied the code and the certificates from activemq.
>> > > > >
>> > > > > What code and certs did you copy and where did you copy it to?
>> > > > >
>> > > > > > My guess is artemis is delegating the ssl infrastructure in
>> Netty
>> > and
>> > > > > netty isn't supporting CRL by default. Not sure about it.
>> > > > >
>> > > > > The SSL handshake is done by Netty in Artemis.  However, the
>> > SSLContext
>> > > > > used (which includes the trust manager) is created by Artemis
>> itself
>> > in
>> > > > the
>> > > > > class I specified in my previous email.
>> > > > >
>> > > > > > I need ocsp too, i thought i could add copy both features to
>> > artemis.
>> > > > No
>> > > > > luck until now.
>> > > > >
>> > > > > I don't think it will be too hard to implement both in Artemis.
>> I'll
>> > > > give
>> > > > > it a closer look when I get the chance.
>> > > > >
>> > > > >
>> > > > > Justin
>> > > > >
>> > > > > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
>> > > > > [hidden email]> wrote:
>> > > > >
>> > > > >> Hi Justin,
>> > > > >>
>> > > > >> I already try it ( i tried before send the e-mail), and didn't
>> > work. I
>> > > > >> copied the code and the certificates from activemq. My guess is
>> > > artemis
>> > > > is
>> > > > >> delegating the ssl infrastructure in Netty and netty isn't
>> > supporting
>> > > > CRL
>> > > > >> by default. Not sure about it. I'm assuming activemq don't use
>> > netty.
>> > > > >> I need ocsp too, i thought i could add copy both features to
>> > artemis.
>> > > No
>> > > > >> luck until now.
>> > > > >>
>> > > > >> Thanks in advance,
>> > > > >> Raul
>> > > > >>
>> > > > >>
>> > > > >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
>> > > > escreveu:
>> > > > >>
>> > > > >> Artemis doesn't support CRL.  However, you should be able to
>> adapt
>> > > > what's
>> > > > >> done in 5.x in org.apache.activemq.spring.SpringSslContext to
>> work
>> > in
>> > > > >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
>> > > > SSLSupport.
>> > > > >> Let me know if you're moving forward with this work otherwise
>> I'll
>> > > take
>> > > > a
>> > > > >> closer look.
>> > > > >>
>> > > > >>
>> > > > >> Justin
>> > > > >>
>> > > > >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>> > > > >> [hidden email]> wrote:
>> > > > >>
>> > > > >> > Hi,
>> > > > >> >
>> > > > >> > Artemis support certificate revogation list? If not, i'm
>> available
>> > > to
>> > > > >> try
>> > > > >> > implement it if you give some insights about it.
>> > > > >> >
>> > > > >> > Thanks in advance,
>> > > > >> > Raul
>> > > > >> >
>> > > > >>
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Hadrian Zbarcea
Keep in mind that CRLs are not used much because of a few reasons. One
of the main ones is the heavy burden on ops/maintenance. You may want to
take a look at ocsp.

My $0.02,
Hadrian


On 12/11/2017 02:34 PM, Justin Bertram wrote:

> Can you describe how you created the activemq-revoke.crl that's in your
> example?
>
>
> Justin
>
> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <[hidden email]> wrote:
>
>> The CRL logic applies to the *trust* manager.  The way your example is
>> configured the CRL is specified on the broker side.  In order to make use
>> of the CRL the client has to present a certificate for the broker to
>> trust.  However, the acceptor in your example (and test) is not configured
>> to require the client to present a certificate.  You need to add
>> "needClientAuth=true" and then you should see the broker reject the
>> client's cert.
>>
>>
>> Justin
>>
>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
>> [hidden email]> wrote:
>>
>>> The server accepts the connection of the client with the revoked
>>> certificate, I think it should reject the connection.
>>> I add an example of that in the commit.
>>>
>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
>>>
>>>> I took a quick look over the code and it looks good to me.  What
>>>> specifically isn't working?
>>>>
>>>>
>>>> Justin
>>>>
>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
>>>> [hidden email]> wrote:
>>>>
>>>>> Hi Justin,
>>>>>
>>>>> What I did is available in the commit:
>>>>> https://github.com/Skiler/activemq-artemis/commit/
>>>>> 2e67595c30856666eb62122906b22a3398f9de47
>>>>> Definitely I did something wrong, perhaps some basic mistake. I
>>>>>
>>>>> Thanks in advance,
>>>>> Raul
>>>>>
>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
>>>>>
>>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
>>>>>>
>>>>>>
>>>>>> Justin
>>>>>>
>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>>>>>>
>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]
>>>>
>>>>>> wrote:
>>>>>>
>>>>>>>> I  copied the code and the certificates from activemq.
>>>>>>>
>>>>>>> What code and certs did you copy and where did you copy it to?
>>>>>>>
>>>>>>>> My guess is artemis is delegating the ssl infrastructure in
>>> Netty
>>>> and
>>>>>>> netty isn't supporting CRL by default. Not sure about it.
>>>>>>>
>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
>>>> SSLContext
>>>>>>> used (which includes the trust manager) is created by Artemis
>>> itself
>>>> in
>>>>>> the
>>>>>>> class I specified in my previous email.
>>>>>>>
>>>>>>>> I need ocsp too, i thought i could add copy both features to
>>>> artemis.
>>>>>> No
>>>>>>> luck until now.
>>>>>>>
>>>>>>> I don't think it will be too hard to implement both in Artemis.
>>> I'll
>>>>>> give
>>>>>>> it a closer look when I get the chance.
>>>>>>>
>>>>>>>
>>>>>>> Justin
>>>>>>>
>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
>>>>>>> [hidden email]> wrote:
>>>>>>>
>>>>>>>> Hi Justin,
>>>>>>>>
>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
>>>> work. I
>>>>>>>> copied the code and the certificates from activemq. My guess is
>>>>> artemis
>>>>>> is
>>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
>>>> supporting
>>>>>> CRL
>>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
>>>> netty.
>>>>>>>> I need ocsp too, i thought i could add copy both features to
>>>> artemis.
>>>>> No
>>>>>>>> luck until now.
>>>>>>>>
>>>>>>>> Thanks in advance,
>>>>>>>> Raul
>>>>>>>>
>>>>>>>>
>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
>>>>>> escreveu:
>>>>>>>>
>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
>>> adapt
>>>>>> what's
>>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
>>> work
>>>> in
>>>>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
>>>>>> SSLSupport.
>>>>>>>> Let me know if you're moving forward with this work otherwise
>>> I'll
>>>>> take
>>>>>> a
>>>>>>>> closer look.
>>>>>>>>
>>>>>>>>
>>>>>>>> Justin
>>>>>>>>
>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>>>>>>>> [hidden email]> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Artemis support certificate revogation list? If not, i'm
>>> available
>>>>> to
>>>>>>>> try
>>>>>>>>> implement it if you give some insights about it.
>>>>>>>>>
>>>>>>>>> Thanks in advance,
>>>>>>>>> Raul
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
If you look at Raul's commit you'll see support for OCSP in there.  Really
what's left is some testing and documentation to round it out (which was
why I was asking about how to generate the CRL).

In any case, thanks (as always) for your input.


Justin

On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <[hidden email]> wrote:

> Keep in mind that CRLs are not used much because of a few reasons. One of
> the main ones is the heavy burden on ops/maintenance. You may want to take
> a look at ocsp.
>
> My $0.02,
> Hadrian
>
>
>
> On 12/11/2017 02:34 PM, Justin Bertram wrote:
>
>> Can you describe how you created the activemq-revoke.crl that's in your
>> example?
>>
>>
>> Justin
>>
>> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <[hidden email]>
>> wrote:
>>
>> The CRL logic applies to the *trust* manager.  The way your example is
>>> configured the CRL is specified on the broker side.  In order to make use
>>> of the CRL the client has to present a certificate for the broker to
>>> trust.  However, the acceptor in your example (and test) is not
>>> configured
>>> to require the client to present a certificate.  You need to add
>>> "needClientAuth=true" and then you should see the broker reject the
>>> client's cert.
>>>
>>>
>>> Justin
>>>
>>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
>>> [hidden email]> wrote:
>>>
>>> The server accepts the connection of the client with the revoked
>>>> certificate, I think it should reject the connection.
>>>> I add an example of that in the commit.
>>>>
>>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
>>>>
>>>> I took a quick look over the code and it looks good to me.  What
>>>>> specifically isn't working?
>>>>>
>>>>>
>>>>> Justin
>>>>>
>>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
>>>>> [hidden email]> wrote:
>>>>>
>>>>> Hi Justin,
>>>>>>
>>>>>> What I did is available in the commit:
>>>>>> https://github.com/Skiler/activemq-artemis/commit/
>>>>>> 2e67595c30856666eb62122906b22a3398f9de47
>>>>>> Definitely I did something wrong, perhaps some basic mistake. I
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Raul
>>>>>>
>>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
>>>>>>
>>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
>>>>>>>
>>>>>>>
>>>>>>> Justin
>>>>>>>
>>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>>>>>>>
>>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <[hidden email]
>>>>>>>
>>>>>>
>>>>> wrote:
>>>>>>>
>>>>>>> I  copied the code and the certificates from activemq.
>>>>>>>>>
>>>>>>>>
>>>>>>>> What code and certs did you copy and where did you copy it to?
>>>>>>>>
>>>>>>>> My guess is artemis is delegating the ssl infrastructure in
>>>>>>>>>
>>>>>>>> Netty
>>>>
>>>>> and
>>>>>
>>>>>> netty isn't supporting CRL by default. Not sure about it.
>>>>>>>>
>>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
>>>>>>>>
>>>>>>> SSLContext
>>>>>
>>>>>> used (which includes the trust manager) is created by Artemis
>>>>>>>>
>>>>>>> itself
>>>>
>>>>> in
>>>>>
>>>>>> the
>>>>>>>
>>>>>>>> class I specified in my previous email.
>>>>>>>>
>>>>>>>> I need ocsp too, i thought i could add copy both features to
>>>>>>>>>
>>>>>>>> artemis.
>>>>>
>>>>>> No
>>>>>>>
>>>>>>>> luck until now.
>>>>>>>>
>>>>>>>> I don't think it will be too hard to implement both in Artemis.
>>>>>>>>
>>>>>>> I'll
>>>>
>>>>> give
>>>>>>>
>>>>>>>> it a closer look when I get the chance.
>>>>>>>>
>>>>>>>>
>>>>>>>> Justin
>>>>>>>>
>>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
>>>>>>>> [hidden email]> wrote:
>>>>>>>>
>>>>>>>> Hi Justin,
>>>>>>>>>
>>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
>>>>>>>>>
>>>>>>>> work. I
>>>>>
>>>>>> copied the code and the certificates from activemq. My guess is
>>>>>>>>>
>>>>>>>> artemis
>>>>>>
>>>>>>> is
>>>>>>>
>>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
>>>>>>>>>
>>>>>>>> supporting
>>>>>
>>>>>> CRL
>>>>>>>
>>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
>>>>>>>>>
>>>>>>>> netty.
>>>>>
>>>>>> I need ocsp too, i thought i could add copy both features to
>>>>>>>>>
>>>>>>>> artemis.
>>>>>
>>>>>> No
>>>>>>
>>>>>>> luck until now.
>>>>>>>>>
>>>>>>>>> Thanks in advance,
>>>>>>>>> Raul
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
>>>>>>>>>
>>>>>>>> escreveu:
>>>>>>>
>>>>>>>>
>>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
>>>>>>>>>
>>>>>>>> adapt
>>>>
>>>>> what's
>>>>>>>
>>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
>>>>>>>>>
>>>>>>>> work
>>>>
>>>>> in
>>>>>
>>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
>>>>>>>>>
>>>>>>>> SSLSupport.
>>>>>>>
>>>>>>>> Let me know if you're moving forward with this work otherwise
>>>>>>>>>
>>>>>>>> I'll
>>>>
>>>>> take
>>>>>>
>>>>>>> a
>>>>>>>
>>>>>>>> closer look.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Justin
>>>>>>>>>
>>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>>>>>>>>> [hidden email]> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Artemis support certificate revogation list? If not, i'm
>>>>>>>>>>
>>>>>>>>> available
>>>>
>>>>> to
>>>>>>
>>>>>>> try
>>>>>>>>>
>>>>>>>>>> implement it if you give some insights about it.
>>>>>>>>>>
>>>>>>>>>> Thanks in advance,
>>>>>>>>>> Raul
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Raul Valdoleiros
Hi Justin,

I copied the activemq-revoke.crl from the activemq repository. I will try
to add the documentation today or tomorrow,I've a busy day today :(

Thanks,
Raul

2017-12-12 3:09 GMT+00:00 Justin Bertram <[hidden email]>:

> If you look at Raul's commit you'll see support for OCSP in there.  Really
> what's left is some testing and documentation to round it out (which was
> why I was asking about how to generate the CRL).
>
> In any case, thanks (as always) for your input.
>
>
> Justin
>
> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <[hidden email]>
> wrote:
>
> > Keep in mind that CRLs are not used much because of a few reasons. One of
> > the main ones is the heavy burden on ops/maintenance. You may want to
> take
> > a look at ocsp.
> >
> > My $0.02,
> > Hadrian
> >
> >
> >
> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> >
> >> Can you describe how you created the activemq-revoke.crl that's in your
> >> example?
> >>
> >>
> >> Justin
> >>
> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <[hidden email]>
> >> wrote:
> >>
> >> The CRL logic applies to the *trust* manager.  The way your example is
> >>> configured the CRL is specified on the broker side.  In order to make
> use
> >>> of the CRL the client has to present a certificate for the broker to
> >>> trust.  However, the acceptor in your example (and test) is not
> >>> configured
> >>> to require the client to present a certificate.  You need to add
> >>> "needClientAuth=true" and then you should see the broker reject the
> >>> client's cert.
> >>>
> >>>
> >>> Justin
> >>>
> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> >>> [hidden email]> wrote:
> >>>
> >>> The server accepts the connection of the client with the revoked
> >>>> certificate, I think it should reject the connection.
> >>>> I add an example of that in the commit.
> >>>>
> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
> >>>>
> >>>> I took a quick look over the code and it looks good to me.  What
> >>>>> specifically isn't working?
> >>>>>
> >>>>>
> >>>>> Justin
> >>>>>
> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> >>>>> [hidden email]> wrote:
> >>>>>
> >>>>> Hi Justin,
> >>>>>>
> >>>>>> What I did is available in the commit:
> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
> >>>>>>
> >>>>>> Thanks in advance,
> >>>>>> Raul
> >>>>>>
> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
> >>>>>>
> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> >>>>>>>
> >>>>>>>
> >>>>>>> Justin
> >>>>>>>
> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> >>>>>>>
> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> [hidden email]
> >>>>>>>
> >>>>>>
> >>>>> wrote:
> >>>>>>>
> >>>>>>> I  copied the code and the certificates from activemq.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> What code and certs did you copy and where did you copy it to?
> >>>>>>>>
> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> >>>>>>>>>
> >>>>>>>> Netty
> >>>>
> >>>>> and
> >>>>>
> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> >>>>>>>>
> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
> >>>>>>>>
> >>>>>>> SSLContext
> >>>>>
> >>>>>> used (which includes the trust manager) is created by Artemis
> >>>>>>>>
> >>>>>>> itself
> >>>>
> >>>>> in
> >>>>>
> >>>>>> the
> >>>>>>>
> >>>>>>>> class I specified in my previous email.
> >>>>>>>>
> >>>>>>>> I need ocsp too, i thought i could add copy both features to
> >>>>>>>>>
> >>>>>>>> artemis.
> >>>>>
> >>>>>> No
> >>>>>>>
> >>>>>>>> luck until now.
> >>>>>>>>
> >>>>>>>> I don't think it will be too hard to implement both in Artemis.
> >>>>>>>>
> >>>>>>> I'll
> >>>>
> >>>>> give
> >>>>>>>
> >>>>>>>> it a closer look when I get the chance.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Justin
> >>>>>>>>
> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> >>>>>>>> [hidden email]> wrote:
> >>>>>>>>
> >>>>>>>> Hi Justin,
> >>>>>>>>>
> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
> >>>>>>>>>
> >>>>>>>> work. I
> >>>>>
> >>>>>> copied the code and the certificates from activemq. My guess is
> >>>>>>>>>
> >>>>>>>> artemis
> >>>>>>
> >>>>>>> is
> >>>>>>>
> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> >>>>>>>>>
> >>>>>>>> supporting
> >>>>>
> >>>>>> CRL
> >>>>>>>
> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
> >>>>>>>>>
> >>>>>>>> netty.
> >>>>>
> >>>>>> I need ocsp too, i thought i could add copy both features to
> >>>>>>>>>
> >>>>>>>> artemis.
> >>>>>
> >>>>>> No
> >>>>>>
> >>>>>>> luck until now.
> >>>>>>>>>
> >>>>>>>>> Thanks in advance,
> >>>>>>>>> Raul
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
> >>>>>>>>>
> >>>>>>>> escreveu:
> >>>>>>>
> >>>>>>>>
> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
> >>>>>>>>>
> >>>>>>>> adapt
> >>>>
> >>>>> what's
> >>>>>>>
> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
> >>>>>>>>>
> >>>>>>>> work
> >>>>
> >>>>> in
> >>>>>
> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> >>>>>>>>>
> >>>>>>>> SSLSupport.
> >>>>>>>
> >>>>>>>> Let me know if you're moving forward with this work otherwise
> >>>>>>>>>
> >>>>>>>> I'll
> >>>>
> >>>>> take
> >>>>>>
> >>>>>>> a
> >>>>>>>
> >>>>>>>> closer look.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Justin
> >>>>>>>>>
> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> >>>>>>>>> [hidden email]> wrote:
> >>>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>>
> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> >>>>>>>>>>
> >>>>>>>>> available
> >>>>
> >>>>> to
> >>>>>>
> >>>>>>> try
> >>>>>>>>>
> >>>>>>>>>> implement it if you give some insights about it.
> >>>>>>>>>>
> >>>>>>>>>> Thanks in advance,
> >>>>>>>>>> Raul
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Raul Valdoleiros
Hi Justin,

I created new certificates and crls, created from scratch.

Thanks,
Raul

2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
[hidden email]>:

> Hi Justin,
>
> I copied the activemq-revoke.crl from the activemq repository. I will try
> to add the documentation today or tomorrow,I've a busy day today :(
>
> Thanks,
> Raul
>
> 2017-12-12 3:09 GMT+00:00 Justin Bertram <[hidden email]>:
>
>> If you look at Raul's commit you'll see support for OCSP in there.  Really
>> what's left is some testing and documentation to round it out (which was
>> why I was asking about how to generate the CRL).
>>
>> In any case, thanks (as always) for your input.
>>
>>
>> Justin
>>
>> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <[hidden email]>
>> wrote:
>>
>> > Keep in mind that CRLs are not used much because of a few reasons. One
>> of
>> > the main ones is the heavy burden on ops/maintenance. You may want to
>> take
>> > a look at ocsp.
>> >
>> > My $0.02,
>> > Hadrian
>> >
>> >
>> >
>> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
>> >
>> >> Can you describe how you created the activemq-revoke.crl that's in your
>> >> example?
>> >>
>> >>
>> >> Justin
>> >>
>> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <[hidden email]>
>> >> wrote:
>> >>
>> >> The CRL logic applies to the *trust* manager.  The way your example is
>> >>> configured the CRL is specified on the broker side.  In order to make
>> use
>> >>> of the CRL the client has to present a certificate for the broker to
>> >>> trust.  However, the acceptor in your example (and test) is not
>> >>> configured
>> >>> to require the client to present a certificate.  You need to add
>> >>> "needClientAuth=true" and then you should see the broker reject the
>> >>> client's cert.
>> >>>
>> >>>
>> >>> Justin
>> >>>
>> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
>> >>> [hidden email]> wrote:
>> >>>
>> >>> The server accepts the connection of the client with the revoked
>> >>>> certificate, I think it should reject the connection.
>> >>>> I add an example of that in the commit.
>> >>>>
>> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
>> >>>>
>> >>>> I took a quick look over the code and it looks good to me.  What
>> >>>>> specifically isn't working?
>> >>>>>
>> >>>>>
>> >>>>> Justin
>> >>>>>
>> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
>> >>>>> [hidden email]> wrote:
>> >>>>>
>> >>>>> Hi Justin,
>> >>>>>>
>> >>>>>> What I did is available in the commit:
>> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
>> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
>> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
>> >>>>>>
>> >>>>>> Thanks in advance,
>> >>>>>> Raul
>> >>>>>>
>> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
>> >>>>>>
>> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> Justin
>> >>>>>>>
>> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>> >>>>>>>
>> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
>> [hidden email]
>> >>>>>>>
>> >>>>>>
>> >>>>> wrote:
>> >>>>>>>
>> >>>>>>> I  copied the code and the certificates from activemq.
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>> What code and certs did you copy and where did you copy it to?
>> >>>>>>>>
>> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
>> >>>>>>>>>
>> >>>>>>>> Netty
>> >>>>
>> >>>>> and
>> >>>>>
>> >>>>>> netty isn't supporting CRL by default. Not sure about it.
>> >>>>>>>>
>> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
>> >>>>>>>>
>> >>>>>>> SSLContext
>> >>>>>
>> >>>>>> used (which includes the trust manager) is created by Artemis
>> >>>>>>>>
>> >>>>>>> itself
>> >>>>
>> >>>>> in
>> >>>>>
>> >>>>>> the
>> >>>>>>>
>> >>>>>>>> class I specified in my previous email.
>> >>>>>>>>
>> >>>>>>>> I need ocsp too, i thought i could add copy both features to
>> >>>>>>>>>
>> >>>>>>>> artemis.
>> >>>>>
>> >>>>>> No
>> >>>>>>>
>> >>>>>>>> luck until now.
>> >>>>>>>>
>> >>>>>>>> I don't think it will be too hard to implement both in Artemis.
>> >>>>>>>>
>> >>>>>>> I'll
>> >>>>
>> >>>>> give
>> >>>>>>>
>> >>>>>>>> it a closer look when I get the chance.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> Justin
>> >>>>>>>>
>> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
>> >>>>>>>> [hidden email]> wrote:
>> >>>>>>>>
>> >>>>>>>> Hi Justin,
>> >>>>>>>>>
>> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
>> >>>>>>>>>
>> >>>>>>>> work. I
>> >>>>>
>> >>>>>> copied the code and the certificates from activemq. My guess is
>> >>>>>>>>>
>> >>>>>>>> artemis
>> >>>>>>
>> >>>>>>> is
>> >>>>>>>
>> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
>> >>>>>>>>>
>> >>>>>>>> supporting
>> >>>>>
>> >>>>>> CRL
>> >>>>>>>
>> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
>> >>>>>>>>>
>> >>>>>>>> netty.
>> >>>>>
>> >>>>>> I need ocsp too, i thought i could add copy both features to
>> >>>>>>>>>
>> >>>>>>>> artemis.
>> >>>>>
>> >>>>>> No
>> >>>>>>
>> >>>>>>> luck until now.
>> >>>>>>>>>
>> >>>>>>>>> Thanks in advance,
>> >>>>>>>>> Raul
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <[hidden email]>
>> >>>>>>>>>
>> >>>>>>>> escreveu:
>> >>>>>>>
>> >>>>>>>>
>> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
>> >>>>>>>>>
>> >>>>>>>> adapt
>> >>>>
>> >>>>> what's
>> >>>>>>>
>> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
>> >>>>>>>>>
>> >>>>>>>> work
>> >>>>
>> >>>>> in
>> >>>>>
>> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
>> >>>>>>>>>
>> >>>>>>>> SSLSupport.
>> >>>>>>>
>> >>>>>>>> Let me know if you're moving forward with this work otherwise
>> >>>>>>>>>
>> >>>>>>>> I'll
>> >>>>
>> >>>>> take
>> >>>>>>
>> >>>>>>> a
>> >>>>>>>
>> >>>>>>>> closer look.
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> Justin
>> >>>>>>>>>
>> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>> >>>>>>>>> [hidden email]> wrote:
>> >>>>>>>>>
>> >>>>>>>>> Hi,
>> >>>>>>>>>>
>> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
>> >>>>>>>>>>
>> >>>>>>>>> available
>> >>>>
>> >>>>> to
>> >>>>>>
>> >>>>>>> try
>> >>>>>>>>>
>> >>>>>>>>>> implement it if you give some insights about it.
>> >>>>>>>>>>
>> >>>>>>>>>> Thanks in advance,
>> >>>>>>>>>> Raul
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
Are there instructions about how to do what you did in your example or your
test?  Any artifacts packaged with an example or a test should be able to
be easily re-created by an interested user/developer.


Justin

On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
[hidden email]> wrote:

> Hi Justin,
>
> I created new certificates and crls, created from scratch.
>
> Thanks,
> Raul
>
> 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> [hidden email]>:
>
> > Hi Justin,
> >
> > I copied the activemq-revoke.crl from the activemq repository. I will try
> > to add the documentation today or tomorrow,I've a busy day today :(
> >
> > Thanks,
> > Raul
> >
> > 2017-12-12 3:09 GMT+00:00 Justin Bertram <[hidden email]>:
> >
> >> If you look at Raul's commit you'll see support for OCSP in there.
> Really
> >> what's left is some testing and documentation to round it out (which was
> >> why I was asking about how to generate the CRL).
> >>
> >> In any case, thanks (as always) for your input.
> >>
> >>
> >> Justin
> >>
> >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <[hidden email]>
> >> wrote:
> >>
> >> > Keep in mind that CRLs are not used much because of a few reasons. One
> >> of
> >> > the main ones is the heavy burden on ops/maintenance. You may want to
> >> take
> >> > a look at ocsp.
> >> >
> >> > My $0.02,
> >> > Hadrian
> >> >
> >> >
> >> >
> >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> >> >
> >> >> Can you describe how you created the activemq-revoke.crl that's in
> your
> >> >> example?
> >> >>
> >> >>
> >> >> Justin
> >> >>
> >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <[hidden email]
> >
> >> >> wrote:
> >> >>
> >> >> The CRL logic applies to the *trust* manager.  The way your example
> is
> >> >>> configured the CRL is specified on the broker side.  In order to
> make
> >> use
> >> >>> of the CRL the client has to present a certificate for the broker to
> >> >>> trust.  However, the acceptor in your example (and test) is not
> >> >>> configured
> >> >>> to require the client to present a certificate.  You need to add
> >> >>> "needClientAuth=true" and then you should see the broker reject the
> >> >>> client's cert.
> >> >>>
> >> >>>
> >> >>> Justin
> >> >>>
> >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> >> >>> [hidden email]> wrote:
> >> >>>
> >> >>> The server accepts the connection of the client with the revoked
> >> >>>> certificate, I think it should reject the connection.
> >> >>>> I add an example of that in the commit.
> >> >>>>
> >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
> >> >>>>
> >> >>>> I took a quick look over the code and it looks good to me.  What
> >> >>>>> specifically isn't working?
> >> >>>>>
> >> >>>>>
> >> >>>>> Justin
> >> >>>>>
> >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> >> >>>>> [hidden email]> wrote:
> >> >>>>>
> >> >>>>> Hi Justin,
> >> >>>>>>
> >> >>>>>> What I did is available in the commit:
> >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> >> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
> >> >>>>>>
> >> >>>>>> Thanks in advance,
> >> >>>>>> Raul
> >> >>>>>>
> >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]>:
> >> >>>>>>
> >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> Justin
> >> >>>>>>>
> >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> >> >>>>>>>
> >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> >> [hidden email]
> >> >>>>>>>
> >> >>>>>>
> >> >>>>> wrote:
> >> >>>>>>>
> >> >>>>>>> I  copied the code and the certificates from activemq.
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> What code and certs did you copy and where did you copy it to?
> >> >>>>>>>>
> >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> >> >>>>>>>>>
> >> >>>>>>>> Netty
> >> >>>>
> >> >>>>> and
> >> >>>>>
> >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> >> >>>>>>>>
> >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
> >> >>>>>>>>
> >> >>>>>>> SSLContext
> >> >>>>>
> >> >>>>>> used (which includes the trust manager) is created by Artemis
> >> >>>>>>>>
> >> >>>>>>> itself
> >> >>>>
> >> >>>>> in
> >> >>>>>
> >> >>>>>> the
> >> >>>>>>>
> >> >>>>>>>> class I specified in my previous email.
> >> >>>>>>>>
> >> >>>>>>>> I need ocsp too, i thought i could add copy both features to
> >> >>>>>>>>>
> >> >>>>>>>> artemis.
> >> >>>>>
> >> >>>>>> No
> >> >>>>>>>
> >> >>>>>>>> luck until now.
> >> >>>>>>>>
> >> >>>>>>>> I don't think it will be too hard to implement both in Artemis.
> >> >>>>>>>>
> >> >>>>>>> I'll
> >> >>>>
> >> >>>>> give
> >> >>>>>>>
> >> >>>>>>>> it a closer look when I get the chance.
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> Justin
> >> >>>>>>>>
> >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> >> >>>>>>>> [hidden email]> wrote:
> >> >>>>>>>>
> >> >>>>>>>> Hi Justin,
> >> >>>>>>>>>
> >> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
> >> >>>>>>>>>
> >> >>>>>>>> work. I
> >> >>>>>
> >> >>>>>> copied the code and the certificates from activemq. My guess is
> >> >>>>>>>>>
> >> >>>>>>>> artemis
> >> >>>>>>
> >> >>>>>>> is
> >> >>>>>>>
> >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> >> >>>>>>>>>
> >> >>>>>>>> supporting
> >> >>>>>
> >> >>>>>> CRL
> >> >>>>>>>
> >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
> >> >>>>>>>>>
> >> >>>>>>>> netty.
> >> >>>>>
> >> >>>>>> I need ocsp too, i thought i could add copy both features to
> >> >>>>>>>>>
> >> >>>>>>>> artemis.
> >> >>>>>
> >> >>>>>> No
> >> >>>>>>
> >> >>>>>>> luck until now.
> >> >>>>>>>>>
> >> >>>>>>>>> Thanks in advance,
> >> >>>>>>>>> Raul
> >> >>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> [hidden email]>
> >> >>>>>>>>>
> >> >>>>>>>> escreveu:
> >> >>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
> >> >>>>>>>>>
> >> >>>>>>>> adapt
> >> >>>>
> >> >>>>> what's
> >> >>>>>>>
> >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
> >> >>>>>>>>>
> >> >>>>>>>> work
> >> >>>>
> >> >>>>> in
> >> >>>>>
> >> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> >> >>>>>>>>>
> >> >>>>>>>> SSLSupport.
> >> >>>>>>>
> >> >>>>>>>> Let me know if you're moving forward with this work otherwise
> >> >>>>>>>>>
> >> >>>>>>>> I'll
> >> >>>>
> >> >>>>> take
> >> >>>>>>
> >> >>>>>>> a
> >> >>>>>>>
> >> >>>>>>>> closer look.
> >> >>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>> Justin
> >> >>>>>>>>>
> >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> >> >>>>>>>>> [hidden email]> wrote:
> >> >>>>>>>>>
> >> >>>>>>>>> Hi,
> >> >>>>>>>>>>
> >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> >> >>>>>>>>>>
> >> >>>>>>>>> available
> >> >>>>
> >> >>>>> to
> >> >>>>>>
> >> >>>>>>> try
> >> >>>>>>>>>
> >> >>>>>>>>>> implement it if you give some insights about it.
> >> >>>>>>>>>>
> >> >>>>>>>>>> Thanks in advance,
> >> >>>>>>>>>> Raul
> >> >>>>>>>>>>
> >> >>>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>
> >> >>>>>>
> >> >>>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>
> >>
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Raul Valdoleiros
In this pull request ( https://github.com/apache/activemq-artemis/pull/1708
) you have:

   - an example ->  examples/features/standard/ssl-enabled-crl-mqtt/
   <https://github.com/apache/activemq-artemis/pull/1708/files#diff-281889d37468a2ec2947c2269c302377>
   - a test
   -> tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java

I think I need to update this file
examples/features/standard/ssl-enabled-crl-mqtt/readme.html
<https://github.com/apache/activemq-artemis/pull/1708/files#diff-fac926e01a6ee68f346e78d126d15f5c>

There is any other place I need to add the instructions?

Raul


2017-12-14 14:49 GMT+00:00 Justin Bertram <[hidden email]>:

> Are there instructions about how to do what you did in your example or your
> test?  Any artifacts packaged with an example or a test should be able to
> be easily re-created by an interested user/developer.
>
>
> Justin
>
> On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
> [hidden email]> wrote:
>
> > Hi Justin,
> >
> > I created new certificates and crls, created from scratch.
> >
> > Thanks,
> > Raul
> >
> > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> > [hidden email]>:
> >
> > > Hi Justin,
> > >
> > > I copied the activemq-revoke.crl from the activemq repository. I will
> try
> > > to add the documentation today or tomorrow,I've a busy day today :(
> > >
> > > Thanks,
> > > Raul
> > >
> > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <[hidden email]>:
> > >
> > >> If you look at Raul's commit you'll see support for OCSP in there.
> > Really
> > >> what's left is some testing and documentation to round it out (which
> was
> > >> why I was asking about how to generate the CRL).
> > >>
> > >> In any case, thanks (as always) for your input.
> > >>
> > >>
> > >> Justin
> > >>
> > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <[hidden email]>
> > >> wrote:
> > >>
> > >> > Keep in mind that CRLs are not used much because of a few reasons.
> One
> > >> of
> > >> > the main ones is the heavy burden on ops/maintenance. You may want
> to
> > >> take
> > >> > a look at ocsp.
> > >> >
> > >> > My $0.02,
> > >> > Hadrian
> > >> >
> > >> >
> > >> >
> > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> > >> >
> > >> >> Can you describe how you created the activemq-revoke.crl that's in
> > your
> > >> >> example?
> > >> >>
> > >> >>
> > >> >> Justin
> > >> >>
> > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <
> [hidden email]
> > >
> > >> >> wrote:
> > >> >>
> > >> >> The CRL logic applies to the *trust* manager.  The way your example
> > is
> > >> >>> configured the CRL is specified on the broker side.  In order to
> > make
> > >> use
> > >> >>> of the CRL the client has to present a certificate for the broker
> to
> > >> >>> trust.  However, the acceptor in your example (and test) is not
> > >> >>> configured
> > >> >>> to require the client to present a certificate.  You need to add
> > >> >>> "needClientAuth=true" and then you should see the broker reject
> the
> > >> >>> client's cert.
> > >> >>>
> > >> >>>
> > >> >>> Justin
> > >> >>>
> > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> > >> >>> [hidden email]> wrote:
> > >> >>>
> > >> >>> The server accepts the connection of the client with the revoked
> > >> >>>> certificate, I think it should reject the connection.
> > >> >>>> I add an example of that in the commit.
> > >> >>>>
> > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]>:
> > >> >>>>
> > >> >>>> I took a quick look over the code and it looks good to me.  What
> > >> >>>>> specifically isn't working?
> > >> >>>>>
> > >> >>>>>
> > >> >>>>> Justin
> > >> >>>>>
> > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> > >> >>>>> [hidden email]> wrote:
> > >> >>>>>
> > >> >>>>> Hi Justin,
> > >> >>>>>>
> > >> >>>>>> What I did is available in the commit:
> > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> > >> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
> > >> >>>>>>
> > >> >>>>>> Thanks in advance,
> > >> >>>>>> Raul
> > >> >>>>>>
> > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <[hidden email]
> >:
> > >> >>>>>>
> > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> > >> >>>>>>>
> > >> >>>>>>>
> > >> >>>>>>> Justin
> > >> >>>>>>>
> > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > >> >>>>>>>
> > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> > >> [hidden email]
> > >> >>>>>>>
> > >> >>>>>>
> > >> >>>>> wrote:
> > >> >>>>>>>
> > >> >>>>>>> I  copied the code and the certificates from activemq.
> > >> >>>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>> What code and certs did you copy and where did you copy it
> to?
> > >> >>>>>>>>
> > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> > >> >>>>>>>>>
> > >> >>>>>>>> Netty
> > >> >>>>
> > >> >>>>> and
> > >> >>>>>
> > >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> > >> >>>>>>>>
> > >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
> > >> >>>>>>>>
> > >> >>>>>>> SSLContext
> > >> >>>>>
> > >> >>>>>> used (which includes the trust manager) is created by Artemis
> > >> >>>>>>>>
> > >> >>>>>>> itself
> > >> >>>>
> > >> >>>>> in
> > >> >>>>>
> > >> >>>>>> the
> > >> >>>>>>>
> > >> >>>>>>>> class I specified in my previous email.
> > >> >>>>>>>>
> > >> >>>>>>>> I need ocsp too, i thought i could add copy both features to
> > >> >>>>>>>>>
> > >> >>>>>>>> artemis.
> > >> >>>>>
> > >> >>>>>> No
> > >> >>>>>>>
> > >> >>>>>>>> luck until now.
> > >> >>>>>>>>
> > >> >>>>>>>> I don't think it will be too hard to implement both in
> Artemis.
> > >> >>>>>>>>
> > >> >>>>>>> I'll
> > >> >>>>
> > >> >>>>> give
> > >> >>>>>>>
> > >> >>>>>>>> it a closer look when I get the chance.
> > >> >>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>> Justin
> > >> >>>>>>>>
> > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > >> >>>>>>>> [hidden email]> wrote:
> > >> >>>>>>>>
> > >> >>>>>>>> Hi Justin,
> > >> >>>>>>>>>
> > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and
> didn't
> > >> >>>>>>>>>
> > >> >>>>>>>> work. I
> > >> >>>>>
> > >> >>>>>> copied the code and the certificates from activemq. My guess is
> > >> >>>>>>>>>
> > >> >>>>>>>> artemis
> > >> >>>>>>
> > >> >>>>>>> is
> > >> >>>>>>>
> > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> > >> >>>>>>>>>
> > >> >>>>>>>> supporting
> > >> >>>>>
> > >> >>>>>> CRL
> > >> >>>>>>>
> > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't
> use
> > >> >>>>>>>>>
> > >> >>>>>>>> netty.
> > >> >>>>>
> > >> >>>>>> I need ocsp too, i thought i could add copy both features to
> > >> >>>>>>>>>
> > >> >>>>>>>> artemis.
> > >> >>>>>
> > >> >>>>>> No
> > >> >>>>>>
> > >> >>>>>>> luck until now.
> > >> >>>>>>>>>
> > >> >>>>>>>>> Thanks in advance,
> > >> >>>>>>>>> Raul
> > >> >>>>>>>>>
> > >> >>>>>>>>>
> > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> > [hidden email]>
> > >> >>>>>>>>>
> > >> >>>>>>>> escreveu:
> > >> >>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
> > >> >>>>>>>>>
> > >> >>>>>>>> adapt
> > >> >>>>
> > >> >>>>> what's
> > >> >>>>>>>
> > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext
> to
> > >> >>>>>>>>>
> > >> >>>>>>>> work
> > >> >>>>
> > >> >>>>> in
> > >> >>>>>
> > >> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> > >> >>>>>>>>>
> > >> >>>>>>>> SSLSupport.
> > >> >>>>>>>
> > >> >>>>>>>> Let me know if you're moving forward with this work otherwise
> > >> >>>>>>>>>
> > >> >>>>>>>> I'll
> > >> >>>>
> > >> >>>>> take
> > >> >>>>>>
> > >> >>>>>>> a
> > >> >>>>>>>
> > >> >>>>>>>> closer look.
> > >> >>>>>>>>>
> > >> >>>>>>>>>
> > >> >>>>>>>>> Justin
> > >> >>>>>>>>>
> > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > >> >>>>>>>>> [hidden email]> wrote:
> > >> >>>>>>>>>
> > >> >>>>>>>>> Hi,
> > >> >>>>>>>>>>
> > >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> > >> >>>>>>>>>>
> > >> >>>>>>>>> available
> > >> >>>>
> > >> >>>>> to
> > >> >>>>>>
> > >> >>>>>>> try
> > >> >>>>>>>>>
> > >> >>>>>>>>>> implement it if you give some insights about it.
> > >> >>>>>>>>>>
> > >> >>>>>>>>>> Thanks in advance,
> > >> >>>>>>>>>> Raul
> > >> >>>>>>>>>>
> > >> >>>>>>>>>>
> > >> >>>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>
> > >> >>>>>>
> > >> >>>>>
> > >> >>>>
> > >> >>>
> > >> >>>
> > >> >>
> > >>
> > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

jbertram
You'd need to add instructions to both the test (see an example here [1])
and the example.

Also, take a look at the modifications I made to your previous test
submitted for the MQTT cluster issue [2].  It's preferable to have the
configuration done programmatically rather than in a separate broker.xml
file.


Justin

[1]
https://github.com/apache/activemq-artemis/blob/master/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java#L70
[1]
https://github.com/apache/activemq-artemis/blob/master/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MqttClusterWildcardTest.java

On Thu, Dec 14, 2017 at 9:33 AM, Raul Valdoleiros <
[hidden email]> wrote:

> In this pull request ( https://github.com/apache/
> activemq-artemis/pull/1708
> ) you have:
>
>    - an example ->  examples/features/standard/ssl-enabled-crl-mqtt/
>    <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> 281889d37468a2ec2947c2269c302377>
>    - a test
>    -> tests/integration-tests/src/test/java/org/apache/activemq/
> artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
>
> I think I need to update this file
> examples/features/standard/ssl-enabled-crl-mqtt/readme.html
> <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> fac926e01a6ee68f346e78d126d15f5c>
>
> There is any other place I need to add the instructions?
>
> Raul
>
>
> 2017-12-14 14:49 GMT+00:00 Justin Bertram <[hidden email]>:
>
> > Are there instructions about how to do what you did in your example or
> your
> > test?  Any artifacts packaged with an example or a test should be able to
> > be easily re-created by an interested user/developer.
> >
> >
> > Justin
> >
> > On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
> > [hidden email]> wrote:
> >
> > > Hi Justin,
> > >
> > > I created new certificates and crls, created from scratch.
> > >
> > > Thanks,
> > > Raul
> > >
> > > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> > > [hidden email]>:
> > >
> > > > Hi Justin,
> > > >
> > > > I copied the activemq-revoke.crl from the activemq repository. I will
> > try
> > > > to add the documentation today or tomorrow,I've a busy day today :(
> > > >
> > > > Thanks,
> > > > Raul
> > > >
> > > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <[hidden email]>:
> > > >
> > > >> If you look at Raul's commit you'll see support for OCSP in there.
> > > Really
> > > >> what's left is some testing and documentation to round it out (which
> > was
> > > >> why I was asking about how to generate the CRL).
> > > >>
> > > >> In any case, thanks (as always) for your input.
> > > >>
> > > >>
> > > >> Justin
> > > >>
> > > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <
> [hidden email]>
> > > >> wrote:
> > > >>
> > > >> > Keep in mind that CRLs are not used much because of a few reasons.
> > One
> > > >> of
> > > >> > the main ones is the heavy burden on ops/maintenance. You may want
> > to
> > > >> take
> > > >> > a look at ocsp.
> > > >> >
> > > >> > My $0.02,
> > > >> > Hadrian
> > > >> >
> > > >> >
> > > >> >
> > > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> > > >> >
> > > >> >> Can you describe how you created the activemq-revoke.crl that's
> in
> > > your
> > > >> >> example?
> > > >> >>
> > > >> >>
> > > >> >> Justin
> > > >> >>
> > > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <
> > [hidden email]
> > > >
> > > >> >> wrote:
> > > >> >>
> > > >> >> The CRL logic applies to the *trust* manager.  The way your
> example
> > > is
> > > >> >>> configured the CRL is specified on the broker side.  In order to
> > > make
> > > >> use
> > > >> >>> of the CRL the client has to present a certificate for the
> broker
> > to
> > > >> >>> trust.  However, the acceptor in your example (and test) is not
> > > >> >>> configured
> > > >> >>> to require the client to present a certificate.  You need to add
> > > >> >>> "needClientAuth=true" and then you should see the broker reject
> > the
> > > >> >>> client's cert.
> > > >> >>>
> > > >> >>>
> > > >> >>> Justin
> > > >> >>>
> > > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> > > >> >>> [hidden email]> wrote:
> > > >> >>>
> > > >> >>> The server accepts the connection of the client with the revoked
> > > >> >>>> certificate, I think it should reject the connection.
> > > >> >>>> I add an example of that in the commit.
> > > >> >>>>
> > > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <[hidden email]
> >:
> > > >> >>>>
> > > >> >>>> I took a quick look over the code and it looks good to me.
> What
> > > >> >>>>> specifically isn't working?
> > > >> >>>>>
> > > >> >>>>>
> > > >> >>>>> Justin
> > > >> >>>>>
> > > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> > > >> >>>>> [hidden email]> wrote:
> > > >> >>>>>
> > > >> >>>>> Hi Justin,
> > > >> >>>>>>
> > > >> >>>>>> What I did is available in the commit:
> > > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> > > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> > > >> >>>>>> Definitely I did something wrong, perhaps some basic
> mistake. I
> > > >> >>>>>>
> > > >> >>>>>> Thanks in advance,
> > > >> >>>>>> Raul
> > > >> >>>>>>
> > > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <
> [hidden email]
> > >:
> > > >> >>>>>>
> > > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> > > >> >>>>>>>
> > > >> >>>>>>>
> > > >> >>>>>>> Justin
> > > >> >>>>>>>
> > > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > > >> >>>>>>>
> > > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> > > >> [hidden email]
> > > >> >>>>>>>
> > > >> >>>>>>
> > > >> >>>>> wrote:
> > > >> >>>>>>>
> > > >> >>>>>>> I  copied the code and the certificates from activemq.
> > > >> >>>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>> What code and certs did you copy and where did you copy it
> > to?
> > > >> >>>>>>>>
> > > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> > > >> >>>>>>>>>
> > > >> >>>>>>>> Netty
> > > >> >>>>
> > > >> >>>>> and
> > > >> >>>>>
> > > >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> > > >> >>>>>>>>
> > > >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However,
> the
> > > >> >>>>>>>>
> > > >> >>>>>>> SSLContext
> > > >> >>>>>
> > > >> >>>>>> used (which includes the trust manager) is created by Artemis
> > > >> >>>>>>>>
> > > >> >>>>>>> itself
> > > >> >>>>
> > > >> >>>>> in
> > > >> >>>>>
> > > >> >>>>>> the
> > > >> >>>>>>>
> > > >> >>>>>>>> class I specified in my previous email.
> > > >> >>>>>>>>
> > > >> >>>>>>>> I need ocsp too, i thought i could add copy both features
> to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> artemis.
> > > >> >>>>>
> > > >> >>>>>> No
> > > >> >>>>>>>
> > > >> >>>>>>>> luck until now.
> > > >> >>>>>>>>
> > > >> >>>>>>>> I don't think it will be too hard to implement both in
> > Artemis.
> > > >> >>>>>>>>
> > > >> >>>>>>> I'll
> > > >> >>>>
> > > >> >>>>> give
> > > >> >>>>>>>
> > > >> >>>>>>>> it a closer look when I get the chance.
> > > >> >>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>> Justin
> > > >> >>>>>>>>
> > > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > > >> >>>>>>>> [hidden email]> wrote:
> > > >> >>>>>>>>
> > > >> >>>>>>>> Hi Justin,
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and
> > didn't
> > > >> >>>>>>>>>
> > > >> >>>>>>>> work. I
> > > >> >>>>>
> > > >> >>>>>> copied the code and the certificates from activemq. My guess
> is
> > > >> >>>>>>>>>
> > > >> >>>>>>>> artemis
> > > >> >>>>>>
> > > >> >>>>>>> is
> > > >> >>>>>>>
> > > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> > > >> >>>>>>>>>
> > > >> >>>>>>>> supporting
> > > >> >>>>>
> > > >> >>>>>> CRL
> > > >> >>>>>>>
> > > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't
> > use
> > > >> >>>>>>>>>
> > > >> >>>>>>>> netty.
> > > >> >>>>>
> > > >> >>>>>> I need ocsp too, i thought i could add copy both features to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> artemis.
> > > >> >>>>>
> > > >> >>>>>> No
> > > >> >>>>>>
> > > >> >>>>>>> luck until now.
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Thanks in advance,
> > > >> >>>>>>>>> Raul
> > > >> >>>>>>>>>
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> > > [hidden email]>
> > > >> >>>>>>>>>
> > > >> >>>>>>>> escreveu:
> > > >> >>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able
> to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> adapt
> > > >> >>>>
> > > >> >>>>> what's
> > > >> >>>>>>>
> > > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext
> > to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> work
> > > >> >>>>
> > > >> >>>>> in
> > > >> >>>>>
> > > >> >>>>>> Artemis in org.apache.activemq.artemis.
> core.remoting.impl.ssl.
> > > >> >>>>>>>>>
> > > >> >>>>>>>> SSLSupport.
> > > >> >>>>>>>
> > > >> >>>>>>>> Let me know if you're moving forward with this work
> otherwise
> > > >> >>>>>>>>>
> > > >> >>>>>>>> I'll
> > > >> >>>>
> > > >> >>>>> take
> > > >> >>>>>>
> > > >> >>>>>>> a
> > > >> >>>>>>>
> > > >> >>>>>>>> closer look.
> > > >> >>>>>>>>>
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Justin
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > > >> >>>>>>>>> [hidden email]> wrote:
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Hi,
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>> available
> > > >> >>>>
> > > >> >>>>> to
> > > >> >>>>>>
> > > >> >>>>>>> try
> > > >> >>>>>>>>>
> > > >> >>>>>>>>>> implement it if you give some insights about it.
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>> Thanks in advance,
> > > >> >>>>>>>>>> Raul
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>
> > > >> >>>>>>
> > > >> >>>>>
> > > >> >>>>
> > > >> >>>
> > > >> >>>
> > > >> >>
> > > >>
> > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Artemis CRL

Raul Valdoleiros
Hi Justin,

I created a new pull request with the changes you mentioned.
https://github.com/apache/activemq-artemis/pull/1715

Somehow I'm having problems amending the commits, so I create a new pr.

Raul

2017-12-14 15:44 GMT+00:00 Justin Bertram <[hidden email]>:

> You'd need to add instructions to both the test (see an example here [1])
> and the example.
>
> Also, take a look at the modifications I made to your previous test
> submitted for the MQTT cluster issue [2].  It's preferable to have the
> configuration done programmatically rather than in a separate broker.xml
> file.
>
>
> Justin
>
> [1]
> https://github.com/apache/activemq-artemis/blob/master/
> tests/integration-tests/src/test/java/org/apache/activemq/
> artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java#L70
> [1]
> https://github.com/apache/activemq-artemis/blob/master/
> tests/integration-tests/src/test/java/org/apache/activemq/
> artemis/tests/integration/mqtt/imported/MqttClusterWildcardTest.java
>
> On Thu, Dec 14, 2017 at 9:33 AM, Raul Valdoleiros <
> [hidden email]> wrote:
>
> > In this pull request ( https://github.com/apache/
> > activemq-artemis/pull/1708
> > ) you have:
> >
> >    - an example ->  examples/features/standard/ssl-enabled-crl-mqtt/
> >    <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> > 281889d37468a2ec2947c2269c302377>
> >    - a test
> >    -> tests/integration-tests/src/test/java/org/apache/activemq/
> > artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
> >
> > I think I need to update this file
> > examples/features/standard/ssl-enabled-crl-mqtt/readme.html
> > <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> > fac926e01a6ee68f346e78d126d15f5c>
> >
> > There is any other place I need to add the instructions?
> >
> > Raul
> >
> >
> > 2017-12-14 14:49 GMT+00:00 Justin Bertram <[hidden email]>:
> >
> > > Are there instructions about how to do what you did in your example or
> > your
> > > test?  Any artifacts packaged with an example or a test should be able
> to
> > > be easily re-created by an interested user/developer.
> > >
> > >
> > > Justin
> > >
> > > On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
> > > [hidden email]> wrote:
> > >
> > > > Hi Justin,
> > > >
> > > > I created new certificates and crls, created from scratch.
> > > >
> > > > Thanks,
> > > > Raul
> > > >
> > > > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> > > > [hidden email]>:
> > > >
> > > > > Hi Justin,
> > > > >
> > > > > I copied the activemq-revoke.crl from the activemq repository. I
> will
> > > try
> > > > > to add the documentation today or tomorrow,I've a busy day today :(
> > > > >
> > > > > Thanks,
> > > > > Raul
> > > > >
> > > > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <[hidden email]>:
> > > > >
> > > > >> If you look at Raul's commit you'll see support for OCSP in there.
> > > > Really
> > > > >> what's left is some testing and documentation to round it out
> (which
> > > was
> > > > >> why I was asking about how to generate the CRL).
> > > > >>
> > > > >> In any case, thanks (as always) for your input.
> > > > >>
> > > > >>
> > > > >> Justin
> > > > >>
> > > > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <
> > [hidden email]>
> > > > >> wrote:
> > > > >>
> > > > >> > Keep in mind that CRLs are not used much because of a few
> reasons.
> > > One
> > > > >> of
> > > > >> > the main ones is the heavy burden on ops/maintenance. You may
> want
> > > to
> > > > >> take
> > > > >> > a look at ocsp.
> > > > >> >
> > > > >> > My $0.02,
> > > > >> > Hadrian
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> > > > >> >
> > > > >> >> Can you describe how you created the activemq-revoke.crl that's
> > in
> > > > your
> > > > >> >> example?
> > > > >> >>
> > > > >> >>
> > > > >> >> Justin
> > > > >> >>
> > > > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <
> > > [hidden email]
> > > > >
> > > > >> >> wrote:
> > > > >> >>
> > > > >> >> The CRL logic applies to the *trust* manager.  The way your
> > example
> > > > is
> > > > >> >>> configured the CRL is specified on the broker side.  In order
> to
> > > > make
> > > > >> use
> > > > >> >>> of the CRL the client has to present a certificate for the
> > broker
> > > to
> > > > >> >>> trust.  However, the acceptor in your example (and test) is
> not
> > > > >> >>> configured
> > > > >> >>> to require the client to present a certificate.  You need to
> add
> > > > >> >>> "needClientAuth=true" and then you should see the broker
> reject
> > > the
> > > > >> >>> client's cert.
> > > > >> >>>
> > > > >> >>>
> > > > >> >>> Justin
> > > > >> >>>
> > > > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> > > > >> >>> [hidden email]> wrote:
> > > > >> >>>
> > > > >> >>> The server accepts the connection of the client with the
> revoked
> > > > >> >>>> certificate, I think it should reject the connection.
> > > > >> >>>> I add an example of that in the commit.
> > > > >> >>>>
> > > > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <
> [hidden email]
> > >:
> > > > >> >>>>
> > > > >> >>>> I took a quick look over the code and it looks good to me.
> > What
> > > > >> >>>>> specifically isn't working?
> > > > >> >>>>>
> > > > >> >>>>>
> > > > >> >>>>> Justin
> > > > >> >>>>>
> > > > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> > > > >> >>>>> [hidden email]> wrote:
> > > > >> >>>>>
> > > > >> >>>>> Hi Justin,
> > > > >> >>>>>>
> > > > >> >>>>>> What I did is available in the commit:
> > > > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> > > > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> > > > >> >>>>>> Definitely I did something wrong, perhaps some basic
> > mistake. I
> > > > >> >>>>>>
> > > > >> >>>>>> Thanks in advance,
> > > > >> >>>>>> Raul
> > > > >> >>>>>>
> > > > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <
> > [hidden email]
> > > >:
> > > > >> >>>>>>
> > > > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> > > > >> >>>>>>>
> > > > >> >>>>>>>
> > > > >> >>>>>>> Justin
> > > > >> >>>>>>>
> > > > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > > > >> >>>>>>>
> > > > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> > > > >> [hidden email]
> > > > >> >>>>>>>
> > > > >> >>>>>>
> > > > >> >>>>> wrote:
> > > > >> >>>>>>>
> > > > >> >>>>>>> I  copied the code and the certificates from activemq.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> What code and certs did you copy and where did you copy
> it
> > > to?
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure
> in
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> Netty
> > > > >> >>>>
> > > > >> >>>>> and
> > > > >> >>>>>
> > > > >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However,
> > the
> > > > >> >>>>>>>>
> > > > >> >>>>>>> SSLContext
> > > > >> >>>>>
> > > > >> >>>>>> used (which includes the trust manager) is created by
> Artemis
> > > > >> >>>>>>>>
> > > > >> >>>>>>> itself
> > > > >> >>>>
> > > > >> >>>>> in
> > > > >> >>>>>
> > > > >> >>>>>> the
> > > > >> >>>>>>>
> > > > >> >>>>>>>> class I specified in my previous email.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> I need ocsp too, i thought i could add copy both features
> > to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> artemis.
> > > > >> >>>>>
> > > > >> >>>>>> No
> > > > >> >>>>>>>
> > > > >> >>>>>>>> luck until now.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> I don't think it will be too hard to implement both in
> > > Artemis.
> > > > >> >>>>>>>>
> > > > >> >>>>>>> I'll
> > > > >> >>>>
> > > > >> >>>>> give
> > > > >> >>>>>>>
> > > > >> >>>>>>>> it a closer look when I get the chance.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> Justin
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > > > >> >>>>>>>> [hidden email]> wrote:
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> Hi Justin,
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and
> > > didn't
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> work. I
> > > > >> >>>>>
> > > > >> >>>>>> copied the code and the certificates from activemq. My
> guess
> > is
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> artemis
> > > > >> >>>>>>
> > > > >> >>>>>>> is
> > > > >> >>>>>>>
> > > > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty
> isn't
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> supporting
> > > > >> >>>>>
> > > > >> >>>>>> CRL
> > > > >> >>>>>>>
> > > > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq
> don't
> > > use
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> netty.
> > > > >> >>>>>
> > > > >> >>>>>> I need ocsp too, i thought i could add copy both features
> to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> artemis.
> > > > >> >>>>>
> > > > >> >>>>>> No
> > > > >> >>>>>>
> > > > >> >>>>>>> luck until now.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Thanks in advance,
> > > > >> >>>>>>>>> Raul
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> > > > [hidden email]>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> escreveu:
> > > > >> >>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be
> able
> > to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> adapt
> > > > >> >>>>
> > > > >> >>>>> what's
> > > > >> >>>>>>>
> > > > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.
> SpringSslContext
> > > to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> work
> > > > >> >>>>
> > > > >> >>>>> in
> > > > >> >>>>>
> > > > >> >>>>>> Artemis in org.apache.activemq.artemis.
> > core.remoting.impl.ssl.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> SSLSupport.
> > > > >> >>>>>>>
> > > > >> >>>>>>>> Let me know if you're moving forward with this work
> > otherwise
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> I'll
> > > > >> >>>>
> > > > >> >>>>> take
> > > > >> >>>>>>
> > > > >> >>>>>>> a
> > > > >> >>>>>>>
> > > > >> >>>>>>>> closer look.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Justin
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > > > >> >>>>>>>>> [hidden email]> wrote:
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Hi,
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>> Artemis support certificate revogation list? If not,
> i'm
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>> available
> > > > >> >>>>
> > > > >> >>>>> to
> > > > >> >>>>>>
> > > > >> >>>>>>> try
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>>> implement it if you give some insights about it.
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>> Thanks in advance,
> > > > >> >>>>>>>>>> Raul
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>
> > > > >> >>>>>>
> > > > >> >>>>>
> > > > >> >>>>
> > > > >> >>>
> > > > >> >>>
> > > > >> >>
> > > > >>
> > > > >
> > > > >
> > > >
> > >
> >
>