Hi Justin, I copied the activemq-revoke.crl from the activemq repository. I will try to add the documentation today or tomorrow,I've a busy day today :(
Thanks, Raul 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbert...@apache.org>: > If you look at Raul's commit you'll see support for OCSP in there. Really > what's left is some testing and documentation to round it out (which was > why I was asking about how to generate the CRL). > > In any case, thanks (as always) for your input. > > > Justin > > On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbar...@gmail.com> > wrote: > > > Keep in mind that CRLs are not used much because of a few reasons. One of > > the main ones is the heavy burden on ops/maintenance. You may want to > take > > a look at ocsp. > > > > My $0.02, > > Hadrian > > > > > > > > On 12/11/2017 02:34 PM, Justin Bertram wrote: > > > >> Can you describe how you created the activemq-revoke.crl that's in your > >> example? > >> > >> > >> Justin > >> > >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbert...@apache.org> > >> wrote: > >> > >> The CRL logic applies to the *trust* manager. The way your example is > >>> configured the CRL is specified on the broker side. In order to make > use > >>> of the CRL the client has to present a certificate for the broker to > >>> trust. However, the acceptor in your example (and test) is not > >>> configured > >>> to require the client to present a certificate. You need to add > >>> "needClientAuth=true" and then you should see the broker reject the > >>> client's cert. > >>> > >>> > >>> Justin > >>> > >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros < > >>> raul.valdoleiros.olive...@gmail.com> wrote: > >>> > >>> The server accepts the connection of the client with the revoked > >>>> certificate, I think it should reject the connection. > >>>> I add an example of that in the commit. > >>>> > >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org>: > >>>> > >>>> I took a quick look over the code and it looks good to me. What > >>>>> specifically isn't working? > >>>>> > >>>>> > >>>>> Justin > >>>>> > >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < > >>>>> raul.valdoleiros.olive...@gmail.com> wrote: > >>>>> > >>>>> Hi Justin, > >>>>>> > >>>>>> What I did is available in the commit: > >>>>>> https://github.com/Skiler/activemq-artemis/commit/ > >>>>>> 2e67595c30856666eb62122906b22a3398f9de47 > >>>>>> Definitely I did something wrong, perhaps some basic mistake. I > >>>>>> > >>>>>> Thanks in advance, > >>>>>> Raul > >>>>>> > >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbert...@apache.org>: > >>>>>> > >>>>>> FYI - I opened ARTEMIS-1548 [1] for this. > >>>>>>> > >>>>>>> > >>>>>>> Justin > >>>>>>> > >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 > >>>>>>> > >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram < > jbert...@apache.org > >>>>>>> > >>>>>> > >>>>> wrote: > >>>>>>> > >>>>>>> I copied the code and the certificates from activemq. > >>>>>>>>> > >>>>>>>> > >>>>>>>> What code and certs did you copy and where did you copy it to? > >>>>>>>> > >>>>>>>> My guess is artemis is delegating the ssl infrastructure in > >>>>>>>>> > >>>>>>>> Netty > >>>> > >>>>> and > >>>>> > >>>>>> netty isn't supporting CRL by default. Not sure about it. > >>>>>>>> > >>>>>>>> The SSL handshake is done by Netty in Artemis. However, the > >>>>>>>> > >>>>>>> SSLContext > >>>>> > >>>>>> used (which includes the trust manager) is created by Artemis > >>>>>>>> > >>>>>>> itself > >>>> > >>>>> in > >>>>> > >>>>>> the > >>>>>>> > >>>>>>>> class I specified in my previous email. > >>>>>>>> > >>>>>>>> I need ocsp too, i thought i could add copy both features to > >>>>>>>>> > >>>>>>>> artemis. > >>>>> > >>>>>> No > >>>>>>> > >>>>>>>> luck until now. > >>>>>>>> > >>>>>>>> I don't think it will be too hard to implement both in Artemis. > >>>>>>>> > >>>>>>> I'll > >>>> > >>>>> give > >>>>>>> > >>>>>>>> it a closer look when I get the chance. > >>>>>>>> > >>>>>>>> > >>>>>>>> Justin > >>>>>>>> > >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros < > >>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > >>>>>>>> > >>>>>>>> Hi Justin, > >>>>>>>>> > >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't > >>>>>>>>> > >>>>>>>> work. I > >>>>> > >>>>>> copied the code and the certificates from activemq. My guess is > >>>>>>>>> > >>>>>>>> artemis > >>>>>> > >>>>>>> is > >>>>>>> > >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't > >>>>>>>>> > >>>>>>>> supporting > >>>>> > >>>>>> CRL > >>>>>>> > >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use > >>>>>>>>> > >>>>>>>> netty. > >>>>> > >>>>>> I need ocsp too, i thought i could add copy both features to > >>>>>>>>> > >>>>>>>> artemis. > >>>>> > >>>>>> No > >>>>>> > >>>>>>> luck until now. > >>>>>>>>> > >>>>>>>>> Thanks in advance, > >>>>>>>>> Raul > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbert...@redhat.com> > >>>>>>>>> > >>>>>>>> escreveu: > >>>>>>> > >>>>>>>> > >>>>>>>>> Artemis doesn't support CRL. However, you should be able to > >>>>>>>>> > >>>>>>>> adapt > >>>> > >>>>> what's > >>>>>>> > >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to > >>>>>>>>> > >>>>>>>> work > >>>> > >>>>> in > >>>>> > >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl. > >>>>>>>>> > >>>>>>>> SSLSupport. > >>>>>>> > >>>>>>>> Let me know if you're moving forward with this work otherwise > >>>>>>>>> > >>>>>>>> I'll > >>>> > >>>>> take > >>>>>> > >>>>>>> a > >>>>>>> > >>>>>>>> closer look. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Justin > >>>>>>>>> > >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros < > >>>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > >>>>>>>>> > >>>>>>>>> Hi, > >>>>>>>>>> > >>>>>>>>>> Artemis support certificate revogation list? If not, i'm > >>>>>>>>>> > >>>>>>>>> available > >>>> > >>>>> to > >>>>>> > >>>>>>> try > >>>>>>>>> > >>>>>>>>>> implement it if you give some insights about it. > >>>>>>>>>> > >>>>>>>>>> Thanks in advance, > >>>>>>>>>> Raul > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >>> > >> >
