In this pull request ( https://github.com/apache/activemq-artemis/pull/1708 ) you have:
- an example -> examples/features/standard/ssl-enabled-crl-mqtt/ <https://github.com/apache/activemq-artemis/pull/1708/files#diff-281889d37468a2ec2947c2269c302377> - a test -> tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java I think I need to update this file examples/features/standard/ssl-enabled-crl-mqtt/readme.html <https://github.com/apache/activemq-artemis/pull/1708/files#diff-fac926e01a6ee68f346e78d126d15f5c> There is any other place I need to add the instructions? Raul 2017-12-14 14:49 GMT+00:00 Justin Bertram <jbert...@apache.org>: > Are there instructions about how to do what you did in your example or your > test? Any artifacts packaged with an example or a test should be able to > be easily re-created by an interested user/developer. > > > Justin > > On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros < > raul.valdoleiros.olive...@gmail.com> wrote: > > > Hi Justin, > > > > I created new certificates and crls, created from scratch. > > > > Thanks, > > Raul > > > > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros < > > raul.valdoleiros.olive...@gmail.com>: > > > > > Hi Justin, > > > > > > I copied the activemq-revoke.crl from the activemq repository. I will > try > > > to add the documentation today or tomorrow,I've a busy day today :( > > > > > > Thanks, > > > Raul > > > > > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbert...@apache.org>: > > > > > >> If you look at Raul's commit you'll see support for OCSP in there. > > Really > > >> what's left is some testing and documentation to round it out (which > was > > >> why I was asking about how to generate the CRL). > > >> > > >> In any case, thanks (as always) for your input. > > >> > > >> > > >> Justin > > >> > > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbar...@gmail.com> > > >> wrote: > > >> > > >> > Keep in mind that CRLs are not used much because of a few reasons. > One > > >> of > > >> > the main ones is the heavy burden on ops/maintenance. You may want > to > > >> take > > >> > a look at ocsp. > > >> > > > >> > My $0.02, > > >> > Hadrian > > >> > > > >> > > > >> > > > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote: > > >> > > > >> >> Can you describe how you created the activemq-revoke.crl that's in > > your > > >> >> example? > > >> >> > > >> >> > > >> >> Justin > > >> >> > > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram < > jbert...@apache.org > > > > > >> >> wrote: > > >> >> > > >> >> The CRL logic applies to the *trust* manager. The way your example > > is > > >> >>> configured the CRL is specified on the broker side. In order to > > make > > >> use > > >> >>> of the CRL the client has to present a certificate for the broker > to > > >> >>> trust. However, the acceptor in your example (and test) is not > > >> >>> configured > > >> >>> to require the client to present a certificate. You need to add > > >> >>> "needClientAuth=true" and then you should see the broker reject > the > > >> >>> client's cert. > > >> >>> > > >> >>> > > >> >>> Justin > > >> >>> > > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros < > > >> >>> raul.valdoleiros.olive...@gmail.com> wrote: > > >> >>> > > >> >>> The server accepts the connection of the client with the revoked > > >> >>>> certificate, I think it should reject the connection. > > >> >>>> I add an example of that in the commit. > > >> >>>> > > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbert...@apache.org>: > > >> >>>> > > >> >>>> I took a quick look over the code and it looks good to me. What > > >> >>>>> specifically isn't working? > > >> >>>>> > > >> >>>>> > > >> >>>>> Justin > > >> >>>>> > > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros < > > >> >>>>> raul.valdoleiros.olive...@gmail.com> wrote: > > >> >>>>> > > >> >>>>> Hi Justin, > > >> >>>>>> > > >> >>>>>> What I did is available in the commit: > > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/ > > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47 > > >> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I > > >> >>>>>> > > >> >>>>>> Thanks in advance, > > >> >>>>>> Raul > > >> >>>>>> > > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbert...@apache.org > >: > > >> >>>>>> > > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this. > > >> >>>>>>> > > >> >>>>>>> > > >> >>>>>>> Justin > > >> >>>>>>> > > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548 > > >> >>>>>>> > > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram < > > >> jbert...@apache.org > > >> >>>>>>> > > >> >>>>>> > > >> >>>>> wrote: > > >> >>>>>>> > > >> >>>>>>> I copied the code and the certificates from activemq. > > >> >>>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> What code and certs did you copy and where did you copy it > to? > > >> >>>>>>>> > > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in > > >> >>>>>>>>> > > >> >>>>>>>> Netty > > >> >>>> > > >> >>>>> and > > >> >>>>> > > >> >>>>>> netty isn't supporting CRL by default. Not sure about it. > > >> >>>>>>>> > > >> >>>>>>>> The SSL handshake is done by Netty in Artemis. However, the > > >> >>>>>>>> > > >> >>>>>>> SSLContext > > >> >>>>> > > >> >>>>>> used (which includes the trust manager) is created by Artemis > > >> >>>>>>>> > > >> >>>>>>> itself > > >> >>>> > > >> >>>>> in > > >> >>>>> > > >> >>>>>> the > > >> >>>>>>> > > >> >>>>>>>> class I specified in my previous email. > > >> >>>>>>>> > > >> >>>>>>>> I need ocsp too, i thought i could add copy both features to > > >> >>>>>>>>> > > >> >>>>>>>> artemis. > > >> >>>>> > > >> >>>>>> No > > >> >>>>>>> > > >> >>>>>>>> luck until now. > > >> >>>>>>>> > > >> >>>>>>>> I don't think it will be too hard to implement both in > Artemis. > > >> >>>>>>>> > > >> >>>>>>> I'll > > >> >>>> > > >> >>>>> give > > >> >>>>>>> > > >> >>>>>>>> it a closer look when I get the chance. > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> Justin > > >> >>>>>>>> > > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros < > > >> >>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > > >> >>>>>>>> > > >> >>>>>>>> Hi Justin, > > >> >>>>>>>>> > > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and > didn't > > >> >>>>>>>>> > > >> >>>>>>>> work. I > > >> >>>>> > > >> >>>>>> copied the code and the certificates from activemq. My guess is > > >> >>>>>>>>> > > >> >>>>>>>> artemis > > >> >>>>>> > > >> >>>>>>> is > > >> >>>>>>> > > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't > > >> >>>>>>>>> > > >> >>>>>>>> supporting > > >> >>>>> > > >> >>>>>> CRL > > >> >>>>>>> > > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't > use > > >> >>>>>>>>> > > >> >>>>>>>> netty. > > >> >>>>> > > >> >>>>>> I need ocsp too, i thought i could add copy both features to > > >> >>>>>>>>> > > >> >>>>>>>> artemis. > > >> >>>>> > > >> >>>>>> No > > >> >>>>>> > > >> >>>>>>> luck until now. > > >> >>>>>>>>> > > >> >>>>>>>>> Thanks in advance, > > >> >>>>>>>>> Raul > > >> >>>>>>>>> > > >> >>>>>>>>> > > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" < > > jbert...@redhat.com> > > >> >>>>>>>>> > > >> >>>>>>>> escreveu: > > >> >>>>>>> > > >> >>>>>>>> > > >> >>>>>>>>> Artemis doesn't support CRL. However, you should be able to > > >> >>>>>>>>> > > >> >>>>>>>> adapt > > >> >>>> > > >> >>>>> what's > > >> >>>>>>> > > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext > to > > >> >>>>>>>>> > > >> >>>>>>>> work > > >> >>>> > > >> >>>>> in > > >> >>>>> > > >> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl. > > >> >>>>>>>>> > > >> >>>>>>>> SSLSupport. > > >> >>>>>>> > > >> >>>>>>>> Let me know if you're moving forward with this work otherwise > > >> >>>>>>>>> > > >> >>>>>>>> I'll > > >> >>>> > > >> >>>>> take > > >> >>>>>> > > >> >>>>>>> a > > >> >>>>>>> > > >> >>>>>>>> closer look. > > >> >>>>>>>>> > > >> >>>>>>>>> > > >> >>>>>>>>> Justin > > >> >>>>>>>>> > > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros < > > >> >>>>>>>>> raul.valdoleiros.olive...@gmail.com> wrote: > > >> >>>>>>>>> > > >> >>>>>>>>> Hi, > > >> >>>>>>>>>> > > >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm > > >> >>>>>>>>>> > > >> >>>>>>>>> available > > >> >>>> > > >> >>>>> to > > >> >>>>>> > > >> >>>>>>> try > > >> >>>>>>>>> > > >> >>>>>>>>>> implement it if you give some insights about it. > > >> >>>>>>>>>> > > >> >>>>>>>>>> Thanks in advance, > > >> >>>>>>>>>> Raul > > >> >>>>>>>>>> > > >> >>>>>>>>>> > > >> >>>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>> > > >> >>>>>> > > >> >>>>> > > >> >>>> > > >> >>> > > >> >>> > > >> >> > > >> > > > > > > > > >
