osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artemis CRL


Hi Justin,

I copied the activemq-revoke.crl from the activemq repository. I will try
to add the documentation today or tomorrow,I've a busy day today :(

Thanks,
Raul

2017-12-12 3:09 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:

> If you look at Raul's commit you'll see support for OCSP in there.  Really
> what's left is some testing and documentation to round it out (which was
> why I was asking about how to generate the CRL).
>
> In any case, thanks (as always) for your input.
>
>
> Justin
>
> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbarcea@xxxxxxxxx>
> wrote:
>
> > Keep in mind that CRLs are not used much because of a few reasons. One of
> > the main ones is the heavy burden on ops/maintenance. You may want to
> take
> > a look at ocsp.
> >
> > My $0.02,
> > Hadrian
> >
> >
> >
> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> >
> >> Can you describe how you created the activemq-revoke.crl that's in your
> >> example?
> >>
> >>
> >> Justin
> >>
> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbertram@xxxxxxxxxx>
> >> wrote:
> >>
> >> The CRL logic applies to the *trust* manager.  The way your example is
> >>> configured the CRL is specified on the broker side.  In order to make
> use
> >>> of the CRL the client has to present a certificate for the broker to
> >>> trust.  However, the acceptor in your example (and test) is not
> >>> configured
> >>> to require the client to present a certificate.  You need to add
> >>> "needClientAuth=true" and then you should see the broker reject the
> >>> client's cert.
> >>>
> >>>
> >>> Justin
> >>>
> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> >>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >>>
> >>> The server accepts the connection of the client with the revoked
> >>>> certificate, I think it should reject the connection.
> >>>> I add an example of that in the commit.
> >>>>
> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> >>>>
> >>>> I took a quick look over the code and it looks good to me.  What
> >>>>> specifically isn't working?
> >>>>>
> >>>>>
> >>>>> Justin
> >>>>>
> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> >>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >>>>>
> >>>>> Hi Justin,
> >>>>>>
> >>>>>> What I did is available in the commit:
> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
> >>>>>>
> >>>>>> Thanks in advance,
> >>>>>> Raul
> >>>>>>
> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> >>>>>>
> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> >>>>>>>
> >>>>>>>
> >>>>>>> Justin
> >>>>>>>
> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> >>>>>>>
> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> jbertram@xxxxxxxxxx
> >>>>>>>
> >>>>>>
> >>>>> wrote:
> >>>>>>>
> >>>>>>> I  copied the code and the certificates from activemq.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> What code and certs did you copy and where did you copy it to?
> >>>>>>>>
> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> >>>>>>>>>
> >>>>>>>> Netty
> >>>>
> >>>>> and
> >>>>>
> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> >>>>>>>>
> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
> >>>>>>>>
> >>>>>>> SSLContext
> >>>>>
> >>>>>> used (which includes the trust manager) is created by Artemis
> >>>>>>>>
> >>>>>>> itself
> >>>>
> >>>>> in
> >>>>>
> >>>>>> the
> >>>>>>>
> >>>>>>>> class I specified in my previous email.
> >>>>>>>>
> >>>>>>>> I need ocsp too, i thought i could add copy both features to
> >>>>>>>>>
> >>>>>>>> artemis.
> >>>>>
> >>>>>> No
> >>>>>>>
> >>>>>>>> luck until now.
> >>>>>>>>
> >>>>>>>> I don't think it will be too hard to implement both in Artemis.
> >>>>>>>>
> >>>>>>> I'll
> >>>>
> >>>>> give
> >>>>>>>
> >>>>>>>> it a closer look when I get the chance.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Justin
> >>>>>>>>
> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> >>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >>>>>>>>
> >>>>>>>> Hi Justin,
> >>>>>>>>>
> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
> >>>>>>>>>
> >>>>>>>> work. I
> >>>>>
> >>>>>> copied the code and the certificates from activemq. My guess is
> >>>>>>>>>
> >>>>>>>> artemis
> >>>>>>
> >>>>>>> is
> >>>>>>>
> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> >>>>>>>>>
> >>>>>>>> supporting
> >>>>>
> >>>>>> CRL
> >>>>>>>
> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
> >>>>>>>>>
> >>>>>>>> netty.
> >>>>>
> >>>>>> I need ocsp too, i thought i could add copy both features to
> >>>>>>>>>
> >>>>>>>> artemis.
> >>>>>
> >>>>>> No
> >>>>>>
> >>>>>>> luck until now.
> >>>>>>>>>
> >>>>>>>>> Thanks in advance,
> >>>>>>>>> Raul
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbertram@xxxxxxxxxx>
> >>>>>>>>>
> >>>>>>>> escreveu:
> >>>>>>>
> >>>>>>>>
> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
> >>>>>>>>>
> >>>>>>>> adapt
> >>>>
> >>>>> what's
> >>>>>>>
> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
> >>>>>>>>>
> >>>>>>>> work
> >>>>
> >>>>> in
> >>>>>
> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> >>>>>>>>>
> >>>>>>>> SSLSupport.
> >>>>>>>
> >>>>>>>> Let me know if you're moving forward with this work otherwise
> >>>>>>>>>
> >>>>>>>> I'll
> >>>>
> >>>>> take
> >>>>>>
> >>>>>>> a
> >>>>>>>
> >>>>>>>> closer look.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Justin
> >>>>>>>>>
> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> >>>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >>>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>>
> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> >>>>>>>>>>
> >>>>>>>>> available
> >>>>
> >>>>> to
> >>>>>>
> >>>>>>> try
> >>>>>>>>>
> >>>>>>>>>> implement it if you give some insights about it.
> >>>>>>>>>>
> >>>>>>>>>> Thanks in advance,
> >>>>>>>>>> Raul
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>
>