You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by de...@apache.org on 2016/04/01 13:07:25 UTC
activemq git commit: https://issues.apache.org/jira/browse/AMQ-6118 -
CRL Checking via OCSP
Repository: activemq
Updated Branches:
refs/heads/master a9a1498d2 -> 993d56194
https://issues.apache.org/jira/browse/AMQ-6118 - CRL Checking via OCSP
Project: http://git-wip-us.apache.org/repos/asf/activemq/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq/commit/993d5619
Tree: http://git-wip-us.apache.org/repos/asf/activemq/tree/993d5619
Diff: http://git-wip-us.apache.org/repos/asf/activemq/diff/993d5619
Branch: refs/heads/master
Commit: 993d561947cd92aee879d34e77ee36c2cfb175a7
Parents: a9a1498
Author: Dejan Bosanac <de...@nighttale.net>
Authored: Fri Apr 1 13:07:09 2016 +0200
Committer: Dejan Bosanac <de...@nighttale.net>
Committed: Fri Apr 1 13:07:17 2016 +0200
----------------------------------------------------------------------
.../apache/activemq/spring/SpringSslContext.java | 19 +++++++++----------
assembly/src/release/bin/env | 6 ++++--
assembly/src/release/conf/java.security | 19 +++++++++++++++++++
3 files changed, 32 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/activemq/blob/993d5619/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
----------------------------------------------------------------------
diff --git a/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java b/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
index 57cc1d7..42b7a15 100644
--- a/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
+++ b/activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java
@@ -21,6 +21,7 @@ import java.net.MalformedURLException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
+import java.security.Security;
import java.security.cert.*;
import java.util.ArrayList;
import java.util.Arrays;
@@ -93,27 +94,25 @@ public class SpringSslContext extends SslContext {
}
private Collection<TrustManager> createTrustManagers() throws Exception {
+ boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable"));
+
KeyStore ks = createTrustManagerKeyStore();
if( ks ==null ) {
return new ArrayList<TrustManager>(0);
}
TrustManagerFactory tmf = TrustManagerFactory.getInstance(trustStoreAlgorithm);
boolean initialized = false;
- if (crlPath != null) {
- if (trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
+ if ((ocsp || crlPath != null) && trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
+ PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, new X509CertSelector());
+ if (crlPath != null) {
+ pkixParams.setRevocationEnabled(true);
Collection<? extends CRL> crlList = loadCRL();
-
if (crlList != null) {
- PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, null);
- pkixParams.setRevocationEnabled(true);
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
- tmf.init(new CertPathTrustManagerParameters(pkixParams));
- initialized = true;
}
-
- } else {
- LOG.warn("Revocation checking is only supported with 'trustStoreAlgorithm=\"PKIX\"'. Ignoring CRL: " + crlPath);
}
+ tmf.init(new CertPathTrustManagerParameters(pkixParams));
+ initialized = true;
}
if (!initialized) {
http://git-wip-us.apache.org/repos/asf/activemq/blob/993d5619/assembly/src/release/bin/env
----------------------------------------------------------------------
diff --git a/assembly/src/release/bin/env b/assembly/src/release/bin/env
index e467d7d..2b8431d 100644
--- a/assembly/src/release/bin/env
+++ b/assembly/src/release/bin/env
@@ -82,8 +82,10 @@ if [ -z "$ACTIVEMQ_QUEUEMANAGERURL" ]; then
fi
# Set additional JSE arguments
-#ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true -Docsp.enable=true -Docsp.responderURL=http://ocsp.example.net:80"
-ACTIVEMQ_SSL_OPTS=""
+if [ -z "$ACTIVEMQ_SSL_OPTS" ] ; then
+ #ACTIVEMQ_SSL_OPTS="-Djava.security.properties=$ACTIVEMQ_CONF/java.security"
+ ACTIVEMQ_SSL_OPTS=""
+fi
# Uncomment to enable remote debugging
#ACTIVEMQ_DEBUG_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"
http://git-wip-us.apache.org/repos/asf/activemq/blob/993d5619/assembly/src/release/conf/java.security
----------------------------------------------------------------------
diff --git a/assembly/src/release/conf/java.security b/assembly/src/release/conf/java.security
new file mode 100644
index 0000000..86a0fd1
--- /dev/null
+++ b/assembly/src/release/conf/java.security
@@ -0,0 +1,19 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements. See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+ocsp.enable=true
+ocsp.responderURL=http://ocsp.example.net:80
\ No newline at end of file