You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Lectrismo <m....@yahoo.de> on 2016/01/14 15:14:20 UTC
Re: Configure OCSP CRL Checking
Hi Dejan,
the last days I messed around with the config of OCSP. I've set the
following configuration into activemq.bat:
set ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true
-Docsp.enable=true -Docsp.responderURL=http://my.ocspurl.example"
echo %ACTIVEMQ_SSL_OPTS%
When executing the bat-file I can see, that he tooked over my configuration
with ocsp (echo).
However I didn't found out what the activemq.bat is for? When do I have to
start activemq.bat?
Finally after playing around I can see OCSP requests going to my responder.
Also I have revoked a certificate to test if the client with the revoked
certificate can connect to my broker. Suprisingly, he CAN.
It seems, that the broker connects the ocsp-responder URL, but do not block
the revoked Client-Certificate.
I would appretiate if you could do some tests too. Otherwise the feature is
useless.
Sorry for the ammount of questions, but I'm new to broker and their config.
much regards,
Lectrismo
--
View this message in context: http://activemq.2283324.n4.nabble.com/Configure-OCSP-CRL-Checking-tp4705089p4705987.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Configure OCSP CRL Checking
Posted by Lectrismo <m....@yahoo.de>.
Hi Folks,
as it is also interesting for other People, here the Link for the ActiveMQ
Jira:
https://issues.apache.org/jira/browse/AMQ-6118
At this Point I'd like to thank Dejan for his time he spent on reviewing
this!
much regards,
Lectrismo
@Dejan by the way:
Odradio si odlicnu prezentaciju u beogradu @voxxedDays, puno pozdrava iz
nemacke
--
View this message in context: http://activemq.2283324.n4.nabble.com/Configure-OCSP-CRL-Checking-tp4705089p4711539.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Configure OCSP CRL Checking
Posted by Dejan Bosanac <de...@nighttale.net>.
Thanks. I’ll revisit it these days.
Regards
--
Dejan Bosanac
about.me/dejanb
On Mon, Feb 1, 2016 at 11:44 AM, Lectrismo <m....@yahoo.de> wrote:
> Hi Dejan,
>
> sorry for the late answer, had a few other Problems in last time.
> Activemq has stopped connecting my ocsp-responder. I can't reproduce the
> Problem, neither I know why it has stopped working. Tried to reset all
> changes I've made in the last time, but no luck.
> You can easily reproduce my problem on Windows Distribution.
> 1. Just set up an activemq instance and configure an SSL connector with
> "needClientAuth=true"
> 2. create Certificates and the truststore with Java keytool
> 3. then add following line into your activemq.bat:
> set ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true
> -Docsp.enable=true
> -Docsp.responderURL=http://my.ocspurl.example"
> (of course you need a OCSP Responder for this)
> 4. start activemq with the activemq-admin.bat
> 5. start jconsole.exe and Monitor the ProcessID (PID) which Java opens
> after
> the start. On the VM
> Summary Tab you see the JVM Arguments. Here you should see previously
> configured OCSP arguments too.
>
> Meanwhile I opened AMQ-6118 on Apache jira. Maybe you can connect with
> Christopher L. Shannon, which already replied me regarding this strange
> behavior.
>
>
> I would be happy if you could reproduce the problem too.
>
> Greetings,
> Lectrismo
>
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Configure-OCSP-CRL-Checking-tp4705089p4706716.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Re: Configure OCSP CRL Checking
Posted by Lectrismo <m....@yahoo.de>.
Hi Dejan,
sorry for the late answer, had a few other Problems in last time.
Activemq has stopped connecting my ocsp-responder. I can't reproduce the
Problem, neither I know why it has stopped working. Tried to reset all
changes I've made in the last time, but no luck.
You can easily reproduce my problem on Windows Distribution.
1. Just set up an activemq instance and configure an SSL connector with
"needClientAuth=true"
2. create Certificates and the truststore with Java keytool
3. then add following line into your activemq.bat:
set ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true
-Docsp.enable=true
-Docsp.responderURL=http://my.ocspurl.example"
(of course you need a OCSP Responder for this)
4. start activemq with the activemq-admin.bat
5. start jconsole.exe and Monitor the ProcessID (PID) which Java opens after
the start. On the VM
Summary Tab you see the JVM Arguments. Here you should see previously
configured OCSP arguments too.
Meanwhile I opened AMQ-6118 on Apache jira. Maybe you can connect with
Christopher L. Shannon, which already replied me regarding this strange
behavior.
I would be happy if you could reproduce the problem too.
Greetings,
Lectrismo
--
View this message in context: http://activemq.2283324.n4.nabble.com/Configure-OCSP-CRL-Checking-tp4705089p4706716.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Configure OCSP CRL Checking
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi Lectrisimo,
that’s good news. Is there any way you can share your test environment, so
I can try to reproduce what you see?
Regards
--
Dejan Bosanac
about.me/dejanb
On Thu, Jan 14, 2016 at 3:14 PM, Lectrismo <m....@yahoo.de> wrote:
> Hi Dejan,
> the last days I messed around with the config of OCSP. I've set the
> following configuration into activemq.bat:
>
> set ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true
> -Docsp.enable=true -Docsp.responderURL=http://my.ocspurl.example"
> echo %ACTIVEMQ_SSL_OPTS%
>
> When executing the bat-file I can see, that he tooked over my configuration
> with ocsp (echo).
> However I didn't found out what the activemq.bat is for? When do I have to
> start activemq.bat?
> Finally after playing around I can see OCSP requests going to my responder.
>
> Also I have revoked a certificate to test if the client with the revoked
> certificate can connect to my broker. Suprisingly, he CAN.
> It seems, that the broker connects the ocsp-responder URL, but do not block
> the revoked Client-Certificate.
>
> I would appretiate if you could do some tests too. Otherwise the feature is
> useless.
> Sorry for the ammount of questions, but I'm new to broker and their config.
>
> much regards,
> Lectrismo
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Configure-OCSP-CRL-Checking-tp4705089p4705987.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>