osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artemis CRL


You'd need to add instructions to both the test (see an example here [1])
and the example.

Also, take a look at the modifications I made to your previous test
submitted for the MQTT cluster issue [2].  It's preferable to have the
configuration done programmatically rather than in a separate broker.xml
file.


Justin

[1]
https://github.com/apache/activemq-artemis/blob/master/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java#L70
[1]
https://github.com/apache/activemq-artemis/blob/master/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MqttClusterWildcardTest.java

On Thu, Dec 14, 2017 at 9:33 AM, Raul Valdoleiros <
raul.valdoleiros.oliveira@xxxxxxxxx> wrote:

> In this pull request ( https://github.com/apache/
> activemq-artemis/pull/1708
> ) you have:
>
>    - an example ->  examples/features/standard/ssl-enabled-crl-mqtt/
>    <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> 281889d37468a2ec2947c2269c302377>
>    - a test
>    -> tests/integration-tests/src/test/java/org/apache/activemq/
> artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
>
> I think I need to update this file
> examples/features/standard/ssl-enabled-crl-mqtt/readme.html
> <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> fac926e01a6ee68f346e78d126d15f5c>
>
> There is any other place I need to add the instructions?
>
> Raul
>
>
> 2017-12-14 14:49 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
>
> > Are there instructions about how to do what you did in your example or
> your
> > test?  Any artifacts packaged with an example or a test should be able to
> > be easily re-created by an interested user/developer.
> >
> >
> > Justin
> >
> > On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
> > raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> >
> > > Hi Justin,
> > >
> > > I created new certificates and crls, created from scratch.
> > >
> > > Thanks,
> > > Raul
> > >
> > > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> > > raul.valdoleiros.oliveira@xxxxxxxxx>:
> > >
> > > > Hi Justin,
> > > >
> > > > I copied the activemq-revoke.crl from the activemq repository. I will
> > try
> > > > to add the documentation today or tomorrow,I've a busy day today :(
> > > >
> > > > Thanks,
> > > > Raul
> > > >
> > > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> > > >
> > > >> If you look at Raul's commit you'll see support for OCSP in there.
> > > Really
> > > >> what's left is some testing and documentation to round it out (which
> > was
> > > >> why I was asking about how to generate the CRL).
> > > >>
> > > >> In any case, thanks (as always) for your input.
> > > >>
> > > >>
> > > >> Justin
> > > >>
> > > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <
> hzbarcea@xxxxxxxxx>
> > > >> wrote:
> > > >>
> > > >> > Keep in mind that CRLs are not used much because of a few reasons.
> > One
> > > >> of
> > > >> > the main ones is the heavy burden on ops/maintenance. You may want
> > to
> > > >> take
> > > >> > a look at ocsp.
> > > >> >
> > > >> > My $0.02,
> > > >> > Hadrian
> > > >> >
> > > >> >
> > > >> >
> > > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> > > >> >
> > > >> >> Can you describe how you created the activemq-revoke.crl that's
> in
> > > your
> > > >> >> example?
> > > >> >>
> > > >> >>
> > > >> >> Justin
> > > >> >>
> > > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <
> > jbertram@xxxxxxxxxx
> > > >
> > > >> >> wrote:
> > > >> >>
> > > >> >> The CRL logic applies to the *trust* manager.  The way your
> example
> > > is
> > > >> >>> configured the CRL is specified on the broker side.  In order to
> > > make
> > > >> use
> > > >> >>> of the CRL the client has to present a certificate for the
> broker
> > to
> > > >> >>> trust.  However, the acceptor in your example (and test) is not
> > > >> >>> configured
> > > >> >>> to require the client to present a certificate.  You need to add
> > > >> >>> "needClientAuth=true" and then you should see the broker reject
> > the
> > > >> >>> client's cert.
> > > >> >>>
> > > >> >>>
> > > >> >>> Justin
> > > >> >>>
> > > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> > > >> >>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > >> >>>
> > > >> >>> The server accepts the connection of the client with the revoked
> > > >> >>>> certificate, I think it should reject the connection.
> > > >> >>>> I add an example of that in the commit.
> > > >> >>>>
> > > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx
> >:
> > > >> >>>>
> > > >> >>>> I took a quick look over the code and it looks good to me.
> What
> > > >> >>>>> specifically isn't working?
> > > >> >>>>>
> > > >> >>>>>
> > > >> >>>>> Justin
> > > >> >>>>>
> > > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> > > >> >>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > >> >>>>>
> > > >> >>>>> Hi Justin,
> > > >> >>>>>>
> > > >> >>>>>> What I did is available in the commit:
> > > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> > > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> > > >> >>>>>> Definitely I did something wrong, perhaps some basic
> mistake. I
> > > >> >>>>>>
> > > >> >>>>>> Thanks in advance,
> > > >> >>>>>> Raul
> > > >> >>>>>>
> > > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <
> jbertram@xxxxxxxxxx
> > >:
> > > >> >>>>>>
> > > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> > > >> >>>>>>>
> > > >> >>>>>>>
> > > >> >>>>>>> Justin
> > > >> >>>>>>>
> > > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > > >> >>>>>>>
> > > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> > > >> jbertram@xxxxxxxxxx
> > > >> >>>>>>>
> > > >> >>>>>>
> > > >> >>>>> wrote:
> > > >> >>>>>>>
> > > >> >>>>>>> I  copied the code and the certificates from activemq.
> > > >> >>>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>> What code and certs did you copy and where did you copy it
> > to?
> > > >> >>>>>>>>
> > > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure in
> > > >> >>>>>>>>>
> > > >> >>>>>>>> Netty
> > > >> >>>>
> > > >> >>>>> and
> > > >> >>>>>
> > > >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> > > >> >>>>>>>>
> > > >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However,
> the
> > > >> >>>>>>>>
> > > >> >>>>>>> SSLContext
> > > >> >>>>>
> > > >> >>>>>> used (which includes the trust manager) is created by Artemis
> > > >> >>>>>>>>
> > > >> >>>>>>> itself
> > > >> >>>>
> > > >> >>>>> in
> > > >> >>>>>
> > > >> >>>>>> the
> > > >> >>>>>>>
> > > >> >>>>>>>> class I specified in my previous email.
> > > >> >>>>>>>>
> > > >> >>>>>>>> I need ocsp too, i thought i could add copy both features
> to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> artemis.
> > > >> >>>>>
> > > >> >>>>>> No
> > > >> >>>>>>>
> > > >> >>>>>>>> luck until now.
> > > >> >>>>>>>>
> > > >> >>>>>>>> I don't think it will be too hard to implement both in
> > Artemis.
> > > >> >>>>>>>>
> > > >> >>>>>>> I'll
> > > >> >>>>
> > > >> >>>>> give
> > > >> >>>>>>>
> > > >> >>>>>>>> it a closer look when I get the chance.
> > > >> >>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>> Justin
> > > >> >>>>>>>>
> > > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > > >> >>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > >> >>>>>>>>
> > > >> >>>>>>>> Hi Justin,
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and
> > didn't
> > > >> >>>>>>>>>
> > > >> >>>>>>>> work. I
> > > >> >>>>>
> > > >> >>>>>> copied the code and the certificates from activemq. My guess
> is
> > > >> >>>>>>>>>
> > > >> >>>>>>>> artemis
> > > >> >>>>>>
> > > >> >>>>>>> is
> > > >> >>>>>>>
> > > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty isn't
> > > >> >>>>>>>>>
> > > >> >>>>>>>> supporting
> > > >> >>>>>
> > > >> >>>>>> CRL
> > > >> >>>>>>>
> > > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq don't
> > use
> > > >> >>>>>>>>>
> > > >> >>>>>>>> netty.
> > > >> >>>>>
> > > >> >>>>>> I need ocsp too, i thought i could add copy both features to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> artemis.
> > > >> >>>>>
> > > >> >>>>>> No
> > > >> >>>>>>
> > > >> >>>>>>> luck until now.
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Thanks in advance,
> > > >> >>>>>>>>> Raul
> > > >> >>>>>>>>>
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> > > jbertram@xxxxxxxxxx>
> > > >> >>>>>>>>>
> > > >> >>>>>>>> escreveu:
> > > >> >>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be able
> to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> adapt
> > > >> >>>>
> > > >> >>>>> what's
> > > >> >>>>>>>
> > > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.SpringSslContext
> > to
> > > >> >>>>>>>>>
> > > >> >>>>>>>> work
> > > >> >>>>
> > > >> >>>>> in
> > > >> >>>>>
> > > >> >>>>>> Artemis in org.apache.activemq.artemis.
> core.remoting.impl.ssl.
> > > >> >>>>>>>>>
> > > >> >>>>>>>> SSLSupport.
> > > >> >>>>>>>
> > > >> >>>>>>>> Let me know if you're moving forward with this work
> otherwise
> > > >> >>>>>>>>>
> > > >> >>>>>>>> I'll
> > > >> >>>>
> > > >> >>>>> take
> > > >> >>>>>>
> > > >> >>>>>>> a
> > > >> >>>>>>>
> > > >> >>>>>>>> closer look.
> > > >> >>>>>>>>>
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Justin
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > > >> >>>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > >> >>>>>>>>>
> > > >> >>>>>>>>> Hi,
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>> Artemis support certificate revogation list? If not, i'm
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>> available
> > > >> >>>>
> > > >> >>>>> to
> > > >> >>>>>>
> > > >> >>>>>>> try
> > > >> >>>>>>>>>
> > > >> >>>>>>>>>> implement it if you give some insights about it.
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>> Thanks in advance,
> > > >> >>>>>>>>>> Raul
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>>
> > > >> >>>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>>
> > > >> >>>>>>>
> > > >> >>>>>>
> > > >> >>>>>
> > > >> >>>>
> > > >> >>>
> > > >> >>>
> > > >> >>
> > > >>
> > > >
> > > >
> > >
> >
>