osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artemis CRL


In this pull request ( https://github.com/apache/activemq-artemis/pull/1708
) you have:

   - an example ->  examples/features/standard/ssl-enabled-crl-mqtt/
   <https://github.com/apache/activemq-artemis/pull/1708/files#diff-281889d37468a2ec2947c2269c302377>
   - a test
   -> tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java

I think I need to update this file
examples/features/standard/ssl-enabled-crl-mqtt/readme.html
<https://github.com/apache/activemq-artemis/pull/1708/files#diff-fac926e01a6ee68f346e78d126d15f5c>

There is any other place I need to add the instructions?

Raul


2017-12-14 14:49 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:

> Are there instructions about how to do what you did in your example or your
> test?  Any artifacts packaged with an example or a test should be able to
> be easily re-created by an interested user/developer.
>
>
> Justin
>
> On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
>
> > Hi Justin,
> >
> > I created new certificates and crls, created from scratch.
> >
> > Thanks,
> > Raul
> >
> > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> > raul.valdoleiros.oliveira@xxxxxxxxx>:
> >
> > > Hi Justin,
> > >
> > > I copied the activemq-revoke.crl from the activemq repository. I will
> try
> > > to add the documentation today or tomorrow,I've a busy day today :(
> > >
> > > Thanks,
> > > Raul
> > >
> > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> > >
> > >> If you look at Raul's commit you'll see support for OCSP in there.
> > Really
> > >> what's left is some testing and documentation to round it out (which
> was
> > >> why I was asking about how to generate the CRL).
> > >>
> > >> In any case, thanks (as always) for your input.
> > >>
> > >>
> > >> Justin
> > >>
> > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <hzbarcea@xxxxxxxxx>
> > >> wrote:
> > >>
> > >> > Keep in mind that CRLs are not used much because of a few reasons.
> One
> > >> of
> > >> > the main ones is the heavy burden on ops/maintenance. You may want
> to
> > >> take
> > >> > a look at ocsp.
> > >> >
> > >> > My $0.02,
> > >> > Hadrian
> > >> >
> > >> >
> > >> >
> > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> > >> >
> > >> >> Can you describe how you created the activemq-revoke.crl that's in
> > your
> > >> >> example?
> > >> >>
> > >> >>
> > >> >> Justin
> > >> >>
> > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <
> jbertram@xxxxxxxxxx
> > >
> > >> >> wrote:
> > >> >>
> > >> >> The CRL logic applies to the *trust* manager.  The way your example
> > is
> > >> >>> configured the CRL is specified on the broker side.  In order to
> > make
> > >> use
> > >> >>> of the CRL the client has to present a certificate for the broker
> to
> > >> >>> trust.  However, the acceptor in your example (and test) is not
> > >> >>> configured
> > >> >>> to require the client to present a certificate.  You need to add
> > >> >>> "needClientAuth=true" and then you should see the broker reject
> the
> > >> >>> client's cert.
> > >> >>>
> > >> >>>
> > >> >>> Justin
> > >> >>>
> > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> > >> >>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > >> >>>
> > >> >>> The server accepts the connection of the client with the revoked
> > >> >>>> certificate, I think it should reject the connection.
> > >> >>>> I add an example of that in the commit.
> > >> >>>>
> > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> > >> >>>>
> > >> >>>> I took a quick look over the code and it looks good to me.  What
> > >> >>>>> specifically isn't working?
> > >> >>>>>
> > >> >>>>>
> > >> >>>>> Justin
> > >> >>>>>
> > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> > >> >>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > >> >>>>>
> > >> >>>>> Hi Justin,
> > >> >>>>>>
> > >> >>>>>> What I did is available in the commit:
> > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> > >> >>>>>> Definitely I did something wrong, perhaps some basic mistake. I
> > >> >>>>>>
> > >> >>>>>> Thanks in advance,
> > >> >>>>>> Raul
> > >> >>>>>>
> > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx
> >:
> > >> >>>>>>
> > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> > >> >>>>>>>
> > >> >>>>>>>
> > >> >>>>>>> Justin
> > >> >>>>>>>
> > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > >> >>>>>>>
> > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> > >> jbertram@xxxxxxxxxx
> > >> >>>>>>>
> > >> >>>>>>
> > >> >>>>> wrote:
> > >> >>>>>>>
> > >> >>>>>>> I  copied the code and the certificates from activemq.
> > >> >>>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>> What code and certs did you copy and where did you copy it
> to?
> > >> >>>>>>>>
> > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> > >> >>>>>>>>>
> > >> >>>>>>>> Netty
> > >> >>>>
> > >> >>>>> and
> > >> >>>>>
> > >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> > >> >>>>>>>>
> > >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However, the
> > >> >>>>>>>>
> > >> >>>>>>> SSLContext
> > >> >>>>>
> > >> >>>>>> used (which includes the trust manager) is created by Artemis
> > >> >>>>>>>>
> > >> >>>>>>> itself
> > >> >>>>
> > >> >>>>> in
> > >> >>>>>
> > >> >>>>>> the
> > >> >>>>>>>
> > >> >>>>>>>> class I specified in my previous email.
> > >> >>>>>>>>
> > >> >>>>>>>> I need ocsp too, i thought i could add copy both features to
> > >> >>>>>>>>>
> > >> >>>>>>>> artemis.
> > >> >>>>>
> > >> >>>>>> No
> > >> >>>>>>>
> > >> >>>>>>>> luck until now.
> > >> >>>>>>>>
> > >> >>>>>>>> I don't think it will be too hard to implement both in
> Artemis.
> > >> >>>>>>>>
> > >> >>>>>>> I'll
> > >> >>>>
> > >> >>>>> give
> > >> >>>>>>>
> > >> >>>>>>>> it a closer look when I get the chance.
> > >> >>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>> Justin
> > >> >>>>>>>>
> > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > >> >>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > >> >>>>>>>>
> > >> >>>>>>>> Hi Justin,
> > >> >>>>>>>>>
> > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and
> didn't
> > >> >>>>>>>>>
> > >> >>>>>>>> work. I
> > >> >>>>>
> > >> >>>>>> copied the code and the certificates from activemq. My guess is
> > >> >>>>>>>>>
> > >> >>>>>>>> artemis
> > >> >>>>>>
> > >> >>>>>>> is
> > >> >>>>>>>
> > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> > >> >>>>>>>>>
> > >> >>>>>>>> supporting
> > >> >>>>>
> > >> >>>>>> CRL
> > >> >>>>>>>
> > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't
> use
> > >> >>>>>>>>>
> > >> >>>>>>>> netty.
> > >> >>>>>
> > >> >>>>>> I need ocsp too, i thought i could add copy both features to
> > >> >>>>>>>>>
> > >> >>>>>>>> artemis.
> > >> >>>>>
> > >> >>>>>> No
> > >> >>>>>>
> > >> >>>>>>> luck until now.
> > >> >>>>>>>>>
> > >> >>>>>>>>> Thanks in advance,
> > >> >>>>>>>>> Raul
> > >> >>>>>>>>>
> > >> >>>>>>>>>
> > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> > jbertram@xxxxxxxxxx>
> > >> >>>>>>>>>
> > >> >>>>>>>> escreveu:
> > >> >>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able to
> > >> >>>>>>>>>
> > >> >>>>>>>> adapt
> > >> >>>>
> > >> >>>>> what's
> > >> >>>>>>>
> > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext
> to
> > >> >>>>>>>>>
> > >> >>>>>>>> work
> > >> >>>>
> > >> >>>>> in
> > >> >>>>>
> > >> >>>>>> Artemis in org.apache.activemq.artemis.core.remoting.impl.ssl.
> > >> >>>>>>>>>
> > >> >>>>>>>> SSLSupport.
> > >> >>>>>>>
> > >> >>>>>>>> Let me know if you're moving forward with this work otherwise
> > >> >>>>>>>>>
> > >> >>>>>>>> I'll
> > >> >>>>
> > >> >>>>> take
> > >> >>>>>>
> > >> >>>>>>> a
> > >> >>>>>>>
> > >> >>>>>>>> closer look.
> > >> >>>>>>>>>
> > >> >>>>>>>>>
> > >> >>>>>>>>> Justin
> > >> >>>>>>>>>
> > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > >> >>>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > >> >>>>>>>>>
> > >> >>>>>>>>> Hi,
> > >> >>>>>>>>>>
> > >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> > >> >>>>>>>>>>
> > >> >>>>>>>>> available
> > >> >>>>
> > >> >>>>> to
> > >> >>>>>>
> > >> >>>>>>> try
> > >> >>>>>>>>>
> > >> >>>>>>>>>> implement it if you give some insights about it.
> > >> >>>>>>>>>>
> > >> >>>>>>>>>> Thanks in advance,
> > >> >>>>>>>>>> Raul
> > >> >>>>>>>>>>
> > >> >>>>>>>>>>
> > >> >>>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>>
> > >> >>>>>>>
> > >> >>>>>>
> > >> >>>>>
> > >> >>>>
> > >> >>>
> > >> >>>
> > >> >>
> > >>
> > >
> > >
> >
>