osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artemis CRL


Hi Justin,

I created new certificates and crls, created from scratch.

Thanks,
Raul

2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
raul.valdoleiros.oliveira@xxxxxxxxx>:

> Hi Justin,
>
> I copied the activemq-revoke.crl from the activemq repository. I will try
> to add the documentation today or tomorrow,I've a busy day today :(
>
> Thanks,
> Raul
>
> 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
>
>> If you look at Raul's commit you'll see support for OCSP in there.  Really
>> what's left is some testing and documentation to round it out (which was
>> why I was asking about how to generate the CRL).
>>
>> In any case, thanks (as always) for your input.
>>
>>
>> Justin
>>
>> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbarcea@xxxxxxxxx>
>> wrote:
>>
>> > Keep in mind that CRLs are not used much because of a few reasons. One
>> of
>> > the main ones is the heavy burden on ops/maintenance. You may want to
>> take
>> > a look at ocsp.
>> >
>> > My $0.02,
>> > Hadrian
>> >
>> >
>> >
>> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
>> >
>> >> Can you describe how you created the activemq-revoke.crl that's in your
>> >> example?
>> >>
>> >>
>> >> Justin
>> >>
>> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbertram@xxxxxxxxxx>
>> >> wrote:
>> >>
>> >> The CRL logic applies to the *trust* manager.  The way your example is
>> >>> configured the CRL is specified on the broker side.  In order to make
>> use
>> >>> of the CRL the client has to present a certificate for the broker to
>> >>> trust.  However, the acceptor in your example (and test) is not
>> >>> configured
>> >>> to require the client to present a certificate.  You need to add
>> >>> "needClientAuth=true" and then you should see the broker reject the
>> >>> client's cert.
>> >>>
>> >>>
>> >>> Justin
>> >>>
>> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
>> >>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
>> >>>
>> >>> The server accepts the connection of the client with the revoked
>> >>>> certificate, I think it should reject the connection.
>> >>>> I add an example of that in the commit.
>> >>>>
>> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
>> >>>>
>> >>>> I took a quick look over the code and it looks good to me.  What
>> >>>>> specifically isn't working?
>> >>>>>
>> >>>>>
>> >>>>> Justin
>> >>>>>
>> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
>> >>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
>> >>>>>
>> >>>>> Hi Justin,
>> >>>>>>
>> >>>>>> What I did is available in the commit:
>> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
>> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
>> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
>> >>>>>>
>> >>>>>> Thanks in advance,
>> >>>>>> Raul
>> >>>>>>
>> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
>> >>>>>>
>> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> Justin
>> >>>>>>>
>> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
>> >>>>>>>
>> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
>> jbertram@xxxxxxxxxx
>> >>>>>>>
>> >>>>>>
>> >>>>> wrote:
>> >>>>>>>
>> >>>>>>> I  copied the code and the certificates from activemq.
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>> What code and certs did you copy and where did you copy it to?
>> >>>>>>>>
>> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
>> >>>>>>>>>
>> >>>>>>>> Netty
>> >>>>
>> >>>>> and
>> >>>>>
>> >>>>>> netty isn't supporting CRL by default. Not sure about it.
>> >>>>>>>>
>> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
>> >>>>>>>>
>> >>>>>>> SSLContext
>> >>>>>
>> >>>>>> used (which includes the trust manager) is created by Artemis
>> >>>>>>>>
>> >>>>>>> itself
>> >>>>
>> >>>>> in
>> >>>>>
>> >>>>>> the
>> >>>>>>>
>> >>>>>>>> class I specified in my previous email.
>> >>>>>>>>
>> >>>>>>>> I need ocsp too, i thought i could add copy both features to
>> >>>>>>>>>
>> >>>>>>>> artemis.
>> >>>>>
>> >>>>>> No
>> >>>>>>>
>> >>>>>>>> luck until now.
>> >>>>>>>>
>> >>>>>>>> I don't think it will be too hard to implement both in Artemis.
>> >>>>>>>>
>> >>>>>>> I'll
>> >>>>
>> >>>>> give
>> >>>>>>>
>> >>>>>>>> it a closer look when I get the chance.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> Justin
>> >>>>>>>>
>> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
>> >>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
>> >>>>>>>>
>> >>>>>>>> Hi Justin,
>> >>>>>>>>>
>> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
>> >>>>>>>>>
>> >>>>>>>> work. I
>> >>>>>
>> >>>>>> copied the code and the certificates from activemq. My guess is
>> >>>>>>>>>
>> >>>>>>>> artemis
>> >>>>>>
>> >>>>>>> is
>> >>>>>>>
>> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
>> >>>>>>>>>
>> >>>>>>>> supporting
>> >>>>>
>> >>>>>> CRL
>> >>>>>>>
>> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
>> >>>>>>>>>
>> >>>>>>>> netty.
>> >>>>>
>> >>>>>> I need ocsp too, i thought i could add copy both features to
>> >>>>>>>>>
>> >>>>>>>> artemis.
>> >>>>>
>> >>>>>> No
>> >>>>>>
>> >>>>>>> luck until now.
>> >>>>>>>>>
>> >>>>>>>>> Thanks in advance,
>> >>>>>>>>> Raul
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <jbertram@xxxxxxxxxx>
>> >>>>>>>>>
>> >>>>>>>> escreveu:
>> >>>>>>>
>> >>>>>>>>
>> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
>> >>>>>>>>>
>> >>>>>>>> adapt
>> >>>>
>> >>>>> what's
>> >>>>>>>
>> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
>> >>>>>>>>>
>> >>>>>>>> work
>> >>>>
>> >>>>> in
>> >>>>>
>> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
>> >>>>>>>>>
>> >>>>>>>> SSLSupport.
>> >>>>>>>
>> >>>>>>>> Let me know if you're moving forward with this work otherwise
>> >>>>>>>>>
>> >>>>>>>> I'll
>> >>>>
>> >>>>> take
>> >>>>>>
>> >>>>>>> a
>> >>>>>>>
>> >>>>>>>> closer look.
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> Justin
>> >>>>>>>>>
>> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
>> >>>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
>> >>>>>>>>>
>> >>>>>>>>> Hi,
>> >>>>>>>>>>
>> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
>> >>>>>>>>>>
>> >>>>>>>>> available
>> >>>>
>> >>>>> to
>> >>>>>>
>> >>>>>>> try
>> >>>>>>>>>
>> >>>>>>>>>> implement it if you give some insights about it.
>> >>>>>>>>>>
>> >>>>>>>>>> Thanks in advance,
>> >>>>>>>>>> Raul
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>
>>
>
>