osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artemis CRL


Are there instructions about how to do what you did in your example or your
test?  Any artifacts packaged with an example or a test should be able to
be easily re-created by an interested user/developer.


Justin

On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
raul.valdoleiros.oliveira@xxxxxxxxx> wrote:

> Hi Justin,
>
> I created new certificates and crls, created from scratch.
>
> Thanks,
> Raul
>
> 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> raul.valdoleiros.oliveira@xxxxxxxxx>:
>
> > Hi Justin,
> >
> > I copied the activemq-revoke.crl from the activemq repository. I will try
> > to add the documentation today or tomorrow,I've a busy day today :(
> >
> > Thanks,
> > Raul
> >
> > 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> >
> >> If you look at Raul's commit you'll see support for OCSP in there.
> Really
> >> what's left is some testing and documentation to round it out (which was
> >> why I was asking about how to generate the CRL).
> >>
> >> In any case, thanks (as always) for your input.
> >>
> >>
> >> Justin
> >>
> >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbarcea@xxxxxxxxx>
> >> wrote:
> >>
> >> > Keep in mind that CRLs are not used much because of a few reasons. One
> >> of
> >> > the main ones is the heavy burden on ops/maintenance. You may want to
> >> take
> >> > a look at ocsp.
> >> >
> >> > My $0.02,
> >> > Hadrian
> >> >
> >> >
> >> >
> >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> >> >
> >> >> Can you describe how you created the activemq-revoke.crl that's in
> your
> >> >> example?
> >> >>
> >> >>
> >> >> Justin
> >> >>
> >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <jbertram@xxxxxxxxxx
> >
> >> >> wrote:
> >> >>
> >> >> The CRL logic applies to the *trust* manager.  The way your example
> is
> >> >>> configured the CRL is specified on the broker side.  In order to
> make
> >> use
> >> >>> of the CRL the client has to present a certificate for the broker to
> >> >>> trust.  However, the acceptor in your example (and test) is not
> >> >>> configured
> >> >>> to require the client to present a certificate.  You need to add
> >> >>> "needClientAuth=true" and then you should see the broker reject the
> >> >>> client's cert.
> >> >>>
> >> >>>
> >> >>> Justin
> >> >>>
> >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> >> >>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >> >>>
> >> >>> The server accepts the connection of the client with the revoked
> >> >>>> certificate, I think it should reject the connection.
> >> >>>> I add an example of that in the commit.
> >> >>>>
> >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> >> >>>>
> >> >>>> I took a quick look over the code and it looks good to me.  What
> >> >>>>> specifically isn't working?
> >> >>>>>
> >> >>>>>
> >> >>>>> Justin
> >> >>>>>
> >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> >> >>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >> >>>>>
> >> >>>>> Hi Justin,
> >> >>>>>>
> >> >>>>>> What I did is available in the commit:
> >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> >> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
> >> >>>>>>
> >> >>>>>> Thanks in advance,
> >> >>>>>> Raul
> >> >>>>>>
> >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> >> >>>>>>
> >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> Justin
> >> >>>>>>>
> >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> >> >>>>>>>
> >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> >> jbertram@xxxxxxxxxx
> >> >>>>>>>
> >> >>>>>>
> >> >>>>> wrote:
> >> >>>>>>>
> >> >>>>>>> I  copied the code and the certificates from activemq.
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> What code and certs did you copy and where did you copy it to?
> >> >>>>>>>>
> >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> >> >>>>>>>>>
> >> >>>>>>>> Netty
> >> >>>>
> >> >>>>> and
> >> >>>>>
> >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> >> >>>>>>>>
> >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
> >> >>>>>>>>
> >> >>>>>>> SSLContext
> >> >>>>>
> >> >>>>>> used (which includes the trust manager) is created by Artemis
> >> >>>>>>>>
> >> >>>>>>> itself
> >> >>>>
> >> >>>>> in
> >> >>>>>
> >> >>>>>> the
> >> >>>>>>>
> >> >>>>>>>> class I specified in my previous email.
> >> >>>>>>>>
> >> >>>>>>>> I need ocsp too, i thought i could add copy both features to
> >> >>>>>>>>>
> >> >>>>>>>> artemis.
> >> >>>>>
> >> >>>>>> No
> >> >>>>>>>
> >> >>>>>>>> luck until now.
> >> >>>>>>>>
> >> >>>>>>>> I don't think it will be too hard to implement both in Artemis.
> >> >>>>>>>>
> >> >>>>>>> I'll
> >> >>>>
> >> >>>>> give
> >> >>>>>>>
> >> >>>>>>>> it a closer look when I get the chance.
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> Justin
> >> >>>>>>>>
> >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> >> >>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >> >>>>>>>>
> >> >>>>>>>> Hi Justin,
> >> >>>>>>>>>
> >> >>>>>>>>> I already try it ( i tried before send the e-mail), and didn't
> >> >>>>>>>>>
> >> >>>>>>>> work. I
> >> >>>>>
> >> >>>>>> copied the code and the certificates from activemq. My guess is
> >> >>>>>>>>>
> >> >>>>>>>> artemis
> >> >>>>>>
> >> >>>>>>> is
> >> >>>>>>>
> >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> >> >>>>>>>>>
> >> >>>>>>>> supporting
> >> >>>>>
> >> >>>>>> CRL
> >> >>>>>>>
> >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't use
> >> >>>>>>>>>
> >> >>>>>>>> netty.
> >> >>>>>
> >> >>>>>> I need ocsp too, i thought i could add copy both features to
> >> >>>>>>>>>
> >> >>>>>>>> artemis.
> >> >>>>>
> >> >>>>>> No
> >> >>>>>>
> >> >>>>>>> luck until now.
> >> >>>>>>>>>
> >> >>>>>>>>> Thanks in advance,
> >> >>>>>>>>> Raul
> >> >>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> jbertram@xxxxxxxxxx>
> >> >>>>>>>>>
> >> >>>>>>>> escreveu:
> >> >>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
> >> >>>>>>>>>
> >> >>>>>>>> adapt
> >> >>>>
> >> >>>>> what's
> >> >>>>>>>
> >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext to
> >> >>>>>>>>>
> >> >>>>>>>> work
> >> >>>>
> >> >>>>> in
> >> >>>>>
> >> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> >> >>>>>>>>>
> >> >>>>>>>> SSLSupport.
> >> >>>>>>>
> >> >>>>>>>> Let me know if you're moving forward with this work otherwise
> >> >>>>>>>>>
> >> >>>>>>>> I'll
> >> >>>>
> >> >>>>> take
> >> >>>>>>
> >> >>>>>>> a
> >> >>>>>>>
> >> >>>>>>>> closer look.
> >> >>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>> Justin
> >> >>>>>>>>>
> >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> >> >>>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >> >>>>>>>>>
> >> >>>>>>>>> Hi,
> >> >>>>>>>>>>
> >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> >> >>>>>>>>>>
> >> >>>>>>>>> available
> >> >>>>
> >> >>>>> to
> >> >>>>>>
> >> >>>>>>> try
> >> >>>>>>>>>
> >> >>>>>>>>>> implement it if you give some insights about it.
> >> >>>>>>>>>>
> >> >>>>>>>>>> Thanks in advance,
> >> >>>>>>>>>> Raul
> >> >>>>>>>>>>
> >> >>>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>
> >> >>>>>>
> >> >>>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>
> >>
> >
> >
>