Can you describe how you created the activemq-revoke.crl that's in your example?
Justin On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbert...@apache.org> wrote: > The CRL logic applies to the *trust* manager. The way your example is > configured the CRL is specified on the broker side. In order to make use > of the CRL the client has to present a certificate for the broker to > trust. However, the acceptor in your example (and test) is not configured > to require the client to present a certificate. You need to add > "needClientAuth=true" and then you should see the broker reject the > client's cert. > > > Justin > > On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros < > raul.valdoleiros.olive...@gmail.com> wrote: > >> The server accepts the connection of the client with the revoked >> certificate, I think it should reject the connection. >> I add an example of that in the commit. >> >> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org>: >> >> > I took a quick look over the code and it looks good to me. What >> > specifically isn't working? >> > >> > >> > Justin >> > >> > On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < >> > raul.valdoleiros.olive...@gmail.com> wrote: >> > >> > > Hi Justin, >> > > >> > > What I did is available in the commit: >> > > https://github.com/Skiler/activemq-artemis/commit/ >> > > 2e67595c30856666eb62122906b22a3398f9de47 >> > > Definitely I did something wrong, perhaps some basic mistake. I >> > > >> > > Thanks in advance, >> > > Raul >> > > >> > > 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbert...@apache.org>: >> > > >> > > > FYI - I opened ARTEMIS-1548 [1] for this. >> > > > >> > > > >> > > > Justin >> > > > >> > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 >> > > > >> > > > On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <jbert...@apache.org >> > >> > > > wrote: >> > > > >> > > > > > I copied the code and the certificates from activemq. >> > > > > >> > > > > What code and certs did you copy and where did you copy it to? >> > > > > >> > > > > > My guess is artemis is delegating the ssl infrastructure in >> Netty >> > and >> > > > > netty isn't supporting CRL by default. Not sure about it. >> > > > > >> > > > > The SSL handshake is done by Netty in Artemis. However, the >> > SSLContext >> > > > > used (which includes the trust manager) is created by Artemis >> itself >> > in >> > > > the >> > > > > class I specified in my previous email. >> > > > > >> > > > > > I need ocsp too, i thought i could add copy both features to >> > artemis. >> > > > No >> > > > > luck until now. >> > > > > >> > > > > I don't think it will be too hard to implement both in Artemis. >> I'll >> > > > give >> > > > > it a closer look when I get the chance. >> > > > > >> > > > > >> > > > > Justin >> > > > > >> > > > > On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros < >> > > > > raul.valdoleiros.olive...@gmail.com> wrote: >> > > > > >> > > > >> Hi Justin, >> > > > >> >> > > > >> I already try it ( i tried before send the e-mail), and didn't >> > work. I >> > > > >> copied the code and the certificates from activemq. My guess is >> > > artemis >> > > > is >> > > > >> delegating the ssl infrastructure in Netty and netty isn't >> > supporting >> > > > CRL >> > > > >> by default. Not sure about it. I'm assuming activemq don't use >> > netty. >> > > > >> I need ocsp too, i thought i could add copy both features to >> > artemis. >> > > No >> > > > >> luck until now. >> > > > >> >> > > > >> Thanks in advance, >> > > > >> Raul >> > > > >> >> > > > >> >> > > > >> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbert...@redhat.com> >> > > > escreveu: >> > > > >> >> > > > >> Artemis doesn't support CRL. However, you should be able to >> adapt >> > > > what's >> > > > >> done in 5.x in org.apache.activemq.spring.SpringSslContext to >> work >> > in >> > > > >> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl. >> > > > SSLSupport. >> > > > >> Let me know if you're moving forward with this work otherwise >> I'll >> > > take >> > > > a >> > > > >> closer look. >> > > > >> >> > > > >> >> > > > >> Justin >> > > > >> >> > > > >> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros < >> > > > >> raul.valdoleiros.olive...@gmail.com> wrote: >> > > > >> >> > > > >> > Hi, >> > > > >> > >> > > > >> > Artemis support certificate revogation list? If not, i'm >> available >> > > to >> > > > >> try >> > > > >> > implement it if you give some insights about it. >> > > > >> > >> > > > >> > Thanks in advance, >> > > > >> > Raul >> > > > >> > >> > > > >> >> > > > > >> > > > > >> > > > >> > > >> > >> > >
