[jira] [Comment Edited] (AMQ-5008) Support for certificate revocation checking (with patch)

Tue, 30 Jun 2015 12:16:45 -0700 

    [ 
https://issues.apache.org/jira/browse/AMQ-5008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14608896#comment-14608896
 ] 

Michal Růžička edited comment on AMQ-5008 at 6/30/15 7:15 PM:
--------------------------------------------------------------

The fix introduces a potential regression - consider this scenario:
* the {{crlPath}} is defined (i.e. not null)
* the {{trustStoreAlgorithm}} is not "PKIX"

In this scenario, the {{Revocation checking is only supported with 
'trustStoreAlgorithm="PKIX"}} warning is logged and {{tmf.getTrustManagers()}} 
on line 117 throws {{IllegalStateException}}.



was (Author: mruza):
The fix introduces a potential regression - consider this scenario:
* the {{crlPath}} is defined (i.e. not null)
* the {{trustStoreAlgorithm}} is not "PKIX"
In this scenario, the {{Revocation checking is only supported with 
'trustStoreAlgorithm="PKIX"}} warning is logged and {{tmf.getTrustManagers()}} 
on line 117 throws {{IllegalStateException}}.


> Support for certificate revocation checking (with patch)
> --------------------------------------------------------
>
>                 Key: AMQ-5008
>                 URL: https://issues.apache.org/jira/browse/AMQ-5008
>             Project: ActiveMQ
>          Issue Type: New Feature
>          Components: Connector
>            Reporter: Michal Růžička
>            Assignee: Dejan Bosanac
>            Priority: Minor
>             Fix For: 5.12.0
>
>         Attachments: CRL_checking.patch
>
>
> Currently it's possible to require client authentication during SSL/TLS 
> handshake by adding {{needClientAuth=true}} query string to the respective 
> connector URI. But it is not possible to configure revocation checking of the 
> certificate submitted by the client.
> The attached patch adds the capability by introducing a new attribute - 
> {{crl}} - of the {{org.apache.activemq.spring.SpringSslContext}} class and 
> updating the 
> {{org.apache.activemq.spring.SpringSslContext.createTrustManagers()}} method 
> to make use of the value specified for the attribute in the corresponding 
> {{<sslContext />}} tag as appropriate.
> The code is inspired by a similar code in jetty webserver: 
> https://github.com/eclipse/jetty.project/blob/release-9/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L927-L965
> Please consider it for merging.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to