You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Evan Boone <ev...@drift.oslo.kommune.no> on 2022/04/29 07:20:15 UTC

ActiveMQ 5.16.1 - CRL in crlPath in sslContext is not used

Hi,

We use ActiveMQ version 5.16.1, and we are trying to add a crlPath to the sslContext in order to revoke a client certificate. However, we observed that the CRL is not used after restarting AMQ, and that it is still possible to use the certificate with the serial number in the CRL to connect to the ActiveMQ instances.

After adding the CRL, we have restarted the ActiveMQ instances, and then started the test component. We have checked to that the CRL can be opened (openssl crl -in test.crl -noout -text) and contains the correct serial number. The CRL is issued by the same CA that has issued the keyStore and trustStore. There are no error messages in the log related to CRL or sslContext.

sslContext:

<sslContext>
    <sslContext keyStore="file:${activemq.base}/conf/broker.p12"
                keyStorePassword=password
                keyStoreType="PKCS12"
                trustStoreType="PKCS12"
                trustStore="file:${activemq.base}/conf/broker.p12"
                trustStoreAlgorithm="PKIX"
                trustStorePassword=password
                crlPath="file:${activemq.base}/conf/test.crl"
    />
</sslContext>

On the client side we have:

spring:
  activemq:
    broker-url: failover:(ssl://<broker1>:61616,ssl://<broker2>:61616)
    ssl:
      keyStore: component_client.p12
      keyStorePassword: password
      trustStore: component_client.p12
      trustStorePassword: password
      keyPassword: password

Med vennlig hilsen
Evan Boone