You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by "Piotr Klimczak (JIRA)" <ji...@apache.org> on 2014/08/19 16:09:18 UTC

[jira] [Commented] (AMQ-5008) Support for certificate revocation checking (with patch)

    [ https://issues.apache.org/jira/browse/AMQ-5008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14102225#comment-14102225 ] 

Piotr Klimczak commented on AMQ-5008:
-------------------------------------

Hi.

Why there is no feedback here?
It is very important feature for "security freaks".
Patch is not perfect as it uses label jumps (technique known from such languages like BASIC known from 1960s).
But with a little tuning and some unit test it might be very helpful.

Of course once this functionality will be done, there will be a problem of knowing that certificated used to establish connection was compromised. So once established using not yet compromised certificate, client app can still work as long as will not disconnect.
But this is second side of the problem.

> Support for certificate revocation checking (with patch)
> --------------------------------------------------------
>
>                 Key: AMQ-5008
>                 URL: https://issues.apache.org/jira/browse/AMQ-5008
>             Project: ActiveMQ
>          Issue Type: New Feature
>          Components: Connector
>            Reporter: Michal Růžička
>            Priority: Minor
>         Attachments: CRL_checking.patch
>
>
> Currently it's possible to require client authentication during SSL/TLS handshake by adding {{needClientAuth=true}} query string to the respective connector URI. But it is not possible to configure revocation checking of the certificate submitted by the client.
> The attached patch adds the capability by introducing a new attribute - {{crl}} - of the {{org.apache.activemq.spring.SpringSslContext}} class and updating the {{org.apache.activemq.spring.SpringSslContext.createTrustManagers()}} method to make use of the value specified for the attribute in the corresponding {{<sslContext />}} tag as appropriate.
> The code is inspired by a similar code in jetty webserver: https://github.com/eclipse/jetty.project/blob/release-9/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L927-L965
> Please consider it for merging.



--
This message was sent by Atlassian JIRA
(v6.2#6252)