osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artemis CRL


Hi Justin,

I created a new pull request with the changes you mentioned.
https://github.com/apache/activemq-artemis/pull/1715

Somehow I'm having problems amending the commits, so I create a new pr.

Raul

2017-12-14 15:44 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:

> You'd need to add instructions to both the test (see an example here [1])
> and the example.
>
> Also, take a look at the modifications I made to your previous test
> submitted for the MQTT cluster issue [2].  It's preferable to have the
> configuration done programmatically rather than in a separate broker.xml
> file.
>
>
> Justin
>
> [1]
> https://github.com/apache/activemq-artemis/blob/master/
> tests/integration-tests/src/test/java/org/apache/activemq/
> artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java#L70
> [1]
> https://github.com/apache/activemq-artemis/blob/master/
> tests/integration-tests/src/test/java/org/apache/activemq/
> artemis/tests/integration/mqtt/imported/MqttClusterWildcardTest.java
>
> On Thu, Dec 14, 2017 at 9:33 AM, Raul Valdoleiros <
> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
>
> > In this pull request ( https://github.com/apache/
> > activemq-artemis/pull/1708
> > ) you have:
> >
> >    - an example ->  examples/features/standard/ssl-enabled-crl-mqtt/
> >    <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> > 281889d37468a2ec2947c2269c302377>
> >    - a test
> >    -> tests/integration-tests/src/test/java/org/apache/activemq/
> > artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
> >
> > I think I need to update this file
> > examples/features/standard/ssl-enabled-crl-mqtt/readme.html
> > <https://github.com/apache/activemq-artemis/pull/1708/files#diff-
> > fac926e01a6ee68f346e78d126d15f5c>
> >
> > There is any other place I need to add the instructions?
> >
> > Raul
> >
> >
> > 2017-12-14 14:49 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> >
> > > Are there instructions about how to do what you did in your example or
> > your
> > > test?  Any artifacts packaged with an example or a test should be able
> to
> > > be easily re-created by an interested user/developer.
> > >
> > >
> > > Justin
> > >
> > > On Thu, Dec 14, 2017 at 5:37 AM, Raul Valdoleiros <
> > > raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > >
> > > > Hi Justin,
> > > >
> > > > I created new certificates and crls, created from scratch.
> > > >
> > > > Thanks,
> > > > Raul
> > > >
> > > > 2017-12-12 10:09 GMT+00:00 Raul Valdoleiros <
> > > > raul.valdoleiros.oliveira@xxxxxxxxx>:
> > > >
> > > > > Hi Justin,
> > > > >
> > > > > I copied the activemq-revoke.crl from the activemq repository. I
> will
> > > try
> > > > > to add the documentation today or tomorrow,I've a busy day today :(
> > > > >
> > > > > Thanks,
> > > > > Raul
> > > > >
> > > > > 2017-12-12 3:09 GMT+00:00 Justin Bertram <jbertram@xxxxxxxxxx>:
> > > > >
> > > > >> If you look at Raul's commit you'll see support for OCSP in there.
> > > > Really
> > > > >> what's left is some testing and documentation to round it out
> (which
> > > was
> > > > >> why I was asking about how to generate the CRL).
> > > > >>
> > > > >> In any case, thanks (as always) for your input.
> > > > >>
> > > > >>
> > > > >> Justin
> > > > >>
> > > > >> On Mon, Dec 11, 2017 at 3:29 PM, Hadrian Zbarcea <
> > hzbarcea@xxxxxxxxx>
> > > > >> wrote:
> > > > >>
> > > > >> > Keep in mind that CRLs are not used much because of a few
> reasons.
> > > One
> > > > >> of
> > > > >> > the main ones is the heavy burden on ops/maintenance. You may
> want
> > > to
> > > > >> take
> > > > >> > a look at ocsp.
> > > > >> >
> > > > >> > My $0.02,
> > > > >> > Hadrian
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > On 12/11/2017 02:34 PM, Justin Bertram wrote:
> > > > >> >
> > > > >> >> Can you describe how you created the activemq-revoke.crl that's
> > in
> > > > your
> > > > >> >> example?
> > > > >> >>
> > > > >> >>
> > > > >> >> Justin
> > > > >> >>
> > > > >> >> On Mon, Dec 11, 2017 at 9:47 AM, Justin Bertram <
> > > jbertram@xxxxxxxxxx
> > > > >
> > > > >> >> wrote:
> > > > >> >>
> > > > >> >> The CRL logic applies to the *trust* manager.  The way your
> > example
> > > > is
> > > > >> >>> configured the CRL is specified on the broker side.  In order
> to
> > > > make
> > > > >> use
> > > > >> >>> of the CRL the client has to present a certificate for the
> > broker
> > > to
> > > > >> >>> trust.  However, the acceptor in your example (and test) is
> not
> > > > >> >>> configured
> > > > >> >>> to require the client to present a certificate.  You need to
> add
> > > > >> >>> "needClientAuth=true" and then you should see the broker
> reject
> > > the
> > > > >> >>> client's cert.
> > > > >> >>>
> > > > >> >>>
> > > > >> >>> Justin
> > > > >> >>>
> > > > >> >>> On Mon, Dec 11, 2017 at 8:43 AM, Raul Valdoleiros <
> > > > >> >>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > > >> >>>
> > > > >> >>> The server accepts the connection of the client with the
> revoked
> > > > >> >>>> certificate, I think it should reject the connection.
> > > > >> >>>> I add an example of that in the commit.
> > > > >> >>>>
> > > > >> >>>> 2017-12-11 14:05 GMT+00:00 Justin Bertram <
> jbertram@xxxxxxxxxx
> > >:
> > > > >> >>>>
> > > > >> >>>> I took a quick look over the code and it looks good to me.
> > What
> > > > >> >>>>> specifically isn't working?
> > > > >> >>>>>
> > > > >> >>>>>
> > > > >> >>>>> Justin
> > > > >> >>>>>
> > > > >> >>>>> On Mon, Dec 11, 2017 at 3:06 AM, Raul Valdoleiros <
> > > > >> >>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > > >> >>>>>
> > > > >> >>>>> Hi Justin,
> > > > >> >>>>>>
> > > > >> >>>>>> What I did is available in the commit:
> > > > >> >>>>>> https://github.com/Skiler/activemq-artemis/commit/
> > > > >> >>>>>> 2e67595c30856666eb62122906b22a3398f9de47
> > > > >> >>>>>> Definitely I did something wrong, perhaps some basic
> > mistake. I
> > > > >> >>>>>>
> > > > >> >>>>>> Thanks in advance,
> > > > >> >>>>>> Raul
> > > > >> >>>>>>
> > > > >> >>>>>> 2017-12-08 20:51 GMT+00:00 Justin Bertram <
> > jbertram@xxxxxxxxxx
> > > >:
> > > > >> >>>>>>
> > > > >> >>>>>> FYI - I opened ARTEMIS-1548 [1] for this.
> > > > >> >>>>>>>
> > > > >> >>>>>>>
> > > > >> >>>>>>> Justin
> > > > >> >>>>>>>
> > > > >> >>>>>>> [1] https://issues.apache.org/jira/browse/ARTEMIS-1548
> > > > >> >>>>>>>
> > > > >> >>>>>>> On Thu, Dec 7, 2017 at 6:54 PM, Justin Bertram <
> > > > >> jbertram@xxxxxxxxxx
> > > > >> >>>>>>>
> > > > >> >>>>>>
> > > > >> >>>>> wrote:
> > > > >> >>>>>>>
> > > > >> >>>>>>> I  copied the code and the certificates from activemq.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> What code and certs did you copy and where did you copy
> it
> > > to?
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> My guess is artemis is delegating the ssl infrastructure
> in
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> Netty
> > > > >> >>>>
> > > > >> >>>>> and
> > > > >> >>>>>
> > > > >> >>>>>> netty isn't supporting CRL by default. Not sure about it.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> The SSL handshake is done by Netty in Artemis.  However,
> > the
> > > > >> >>>>>>>>
> > > > >> >>>>>>> SSLContext
> > > > >> >>>>>
> > > > >> >>>>>> used (which includes the trust manager) is created by
> Artemis
> > > > >> >>>>>>>>
> > > > >> >>>>>>> itself
> > > > >> >>>>
> > > > >> >>>>> in
> > > > >> >>>>>
> > > > >> >>>>>> the
> > > > >> >>>>>>>
> > > > >> >>>>>>>> class I specified in my previous email.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> I need ocsp too, i thought i could add copy both features
> > to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> artemis.
> > > > >> >>>>>
> > > > >> >>>>>> No
> > > > >> >>>>>>>
> > > > >> >>>>>>>> luck until now.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> I don't think it will be too hard to implement both in
> > > Artemis.
> > > > >> >>>>>>>>
> > > > >> >>>>>>> I'll
> > > > >> >>>>
> > > > >> >>>>> give
> > > > >> >>>>>>>
> > > > >> >>>>>>>> it a closer look when I get the chance.
> > > > >> >>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> Justin
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> On Thu, Dec 7, 2017 at 4:23 PM, Raul Valdoleiros <
> > > > >> >>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > > >> >>>>>>>>
> > > > >> >>>>>>>> Hi Justin,
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> I already try it ( i tried before send the e-mail), and
> > > didn't
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> work. I
> > > > >> >>>>>
> > > > >> >>>>>> copied the code and the certificates from activemq. My
> guess
> > is
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> artemis
> > > > >> >>>>>>
> > > > >> >>>>>>> is
> > > > >> >>>>>>>
> > > > >> >>>>>>>> delegating the ssl infrastructure in Netty and netty
> isn't
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> supporting
> > > > >> >>>>>
> > > > >> >>>>>> CRL
> > > > >> >>>>>>>
> > > > >> >>>>>>>> by default. Not sure about it. I'm assuming activemq
> don't
> > > use
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> netty.
> > > > >> >>>>>
> > > > >> >>>>>> I need ocsp too, i thought i could add copy both features
> to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> artemis.
> > > > >> >>>>>
> > > > >> >>>>>> No
> > > > >> >>>>>>
> > > > >> >>>>>>> luck until now.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Thanks in advance,
> > > > >> >>>>>>>>> Raul
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Em 07/12/2017 5:36 p.m., "Justin Bertram" <
> > > > jbertram@xxxxxxxxxx>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> escreveu:
> > > > >> >>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>>> Artemis doesn't support CRL.  However, you should be
> able
> > to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> adapt
> > > > >> >>>>
> > > > >> >>>>> what's
> > > > >> >>>>>>>
> > > > >> >>>>>>>> done in 5.x in org.apache.activemq.spring.
> SpringSslContext
> > > to
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> work
> > > > >> >>>>
> > > > >> >>>>> in
> > > > >> >>>>>
> > > > >> >>>>>> Artemis in org.apache.activemq.artemis.
> > core.remoting.impl.ssl.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> SSLSupport.
> > > > >> >>>>>>>
> > > > >> >>>>>>>> Let me know if you're moving forward with this work
> > otherwise
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>> I'll
> > > > >> >>>>
> > > > >> >>>>> take
> > > > >> >>>>>>
> > > > >> >>>>>>> a
> > > > >> >>>>>>>
> > > > >> >>>>>>>> closer look.
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Justin
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> On Thu, Dec 7, 2017 at 2:27 AM, Raul Valdoleiros <
> > > > >> >>>>>>>>> raul.valdoleiros.oliveira@xxxxxxxxx> wrote:
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>> Hi,
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>> Artemis support certificate revogation list? If not,
> i'm
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>> available
> > > > >> >>>>
> > > > >> >>>>> to
> > > > >> >>>>>>
> > > > >> >>>>>>> try
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>>> implement it if you give some insights about it.
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>> Thanks in advance,
> > > > >> >>>>>>>>>> Raul
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>>
> > > > >> >>>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>>
> > > > >> >>>>>>>
> > > > >> >>>>>>
> > > > >> >>>>>
> > > > >> >>>>
> > > > >> >>>
> > > > >> >>>
> > > > >> >>
> > > > >>
> > > > >
> > > > >
> > > >
> > >
> >
>