[jira] [Work logged] (ARTEMIS-3367) The verifyHost parameter default value should be changed

Wed, 04 Aug 2021 01:34:21 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-3367?focusedWorklogId=633362&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-633362
 ]

ASF GitHub Bot logged work on ARTEMIS-3367:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 04/Aug/21 08:33
            Start Date: 04/Aug/21 08:33
    Worklog Time Spent: 10m 
      Work Description: gemmellr commented on a change in pull request #3667:
URL: https://github.com/apache/activemq-artemis/pull/3667#discussion_r682406071



##########
File path: tests/security-resources/build.sh
##########
@@ -0,0 +1,156 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# The various SSL stores and certificates were created with the following 
commands:
+# Requires use of JDK 8+ keytool command.
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Clean up existing files
+# -----------------------
+rm -f *.crt *.csr openssl-* *.jceks *.jks *.p12 *.pem
+
+# Create a key and self-signed certificate for the CA, to sign server 
certificate requests and use for trust:
+# 
----------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 
2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, 
O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass 
$STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+openssl pkcs12 -in server-ca-keystore.p12 -nodes -nocerts -out server-ca.pem 
-password pass:$STORE_PASS
+
+# Create trust store with the server CA cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-truststore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt 
-noprompt
+keytool -importkeystore -srckeystore server-ca-truststore.p12 -destkeystore 
server-ca-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks 
-srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore server-ca-truststore.p12 -destkeystore 
server-ca-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass 
securepass -deststorepass securepass
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS 
-keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname 
"CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" 
-validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS 
-alias server -certreq -file server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass 
$STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile 
server.crt -validity $VALIDITY -ext bc=ca:false -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS 
-keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS 
-keypass $KEY_PASS -importcert -alias server -file server.crt
+
+keytool -importkeystore -srckeystore server-keystore.p12 -destkeystore 
server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass 
securepass -deststorepass securepass
+keytool -importkeystore -srckeystore server-keystore.p12 -destkeystore 
server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass 
securepass -deststorepass securepass
+
+# Create a key pair for the other server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -alias other-server -genkey -keyalg "RSA" 
-keysize 2048 -dname "CN=ActiveMQ Artemis Other Server, OU=Artemis, O=ActiveMQ, 
L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass 
$STORE_PASS -alias other-server -certreq -file other-server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass 
$STORE_PASS -alias server-ca -gencert -rfc -infile other-server.csr -outfile 
other-server.crt -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt 
-noprompt
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias other-server -file 
other-server.crt
+
+keytool -importkeystore -srckeystore other-server-keystore.p12 -destkeystore 
other-server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks 
-srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-server-keystore.p12 -destkeystore 
other-server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass 
securepass -deststorepass securepass
+
+# Create trust store with the other server cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-server-truststore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias other-server -file 
other-server.crt -noprompt
+keytool -importkeystore -srckeystore other-server-truststore.p12 -destkeystore 
other-server-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks 
-srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-server-truststore.p12 -destkeystore 
other-server-truststore.jks -srcstoretype pkcs12 -deststoretype jks 
-srcstorepass securepass -deststorepass securepass
+
+# Create crl with the other server cert:
+# -------------------------------------------------------
+> openssl-database
+echo 00 > openssl-crlnumber
+openssl ca -config openssl.conf -revoke other-server.crt -keyfile 
server-ca.pem -cert server-ca.crt
+openssl ca -config openssl.conf -gencrl -keyfile server-ca.pem -cert 
server-ca.crt -out other-server-crl.pem -crldays $VALIDITY
+
+# Create a key pair for the broker with an unexpected hostname, and sign it 
with the CA:
+# 
--------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -alias unknown-server -genkey -keyalg "RSA" 
-keysize 2048 -dname "CN=ActiveMQ Artemis Unknown Server, OU=Artemis, 
O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext 
eku=sA
+
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass 
$STORE_PASS -alias unknown-server -certreq -file unknown-server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass 
$STORE_PASS -alias server-ca -gencert -rfc -infile unknown-server.csr -outfile 
unknown-server.crt -validity $VALIDITY -ext bc=ca:false -ext eku=sA
+
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt 
-noprompt
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias unknown-server -file 
unknown-server.crt
+
+keytool -importkeystore -srckeystore unknown-server-keystore.p12 -destkeystore 
unknown-server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks 
-srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore unknown-server-keystore.p12 -destkeystore 
unknown-server-keystore.jks -srcstoretype pkcs12 -deststoretype jks 
-srcstorepass securepass -deststorepass securepass
+
+# Create a key and self-signed certificate for the CA, to sign client 
certificate requests and use for trust:
+# 
----------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 
2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, 
O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass 
$STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+openssl pkcs12 -in client-ca-keystore.p12 -nodes -nocerts -out client-ca.pem 
-password pass:$STORE_PASS
+
+# Create trust store with the client CA cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-truststore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt 
-noprompt
+keytool -importkeystore -srckeystore client-ca-truststore.p12 -destkeystore 
client-ca-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks 
-srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore client-ca-truststore.p12 -destkeystore 
client-ca-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass 
securepass -deststorepass securepass
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS 
-keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname 
"CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" 
-validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS 
-alias client -certreq -file client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass 
$STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile 
client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS 
-keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS 
-keypass $KEY_PASS -importcert -alias client -file client.crt
+
+keytool -importkeystore -srckeystore client-keystore.p12 -destkeystore 
client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass 
securepass -deststorepass securepass
+keytool -importkeystore -srckeystore client-keystore.p12 -destkeystore 
client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass 
securepass -deststorepass securepass
+
+# Create a key pair for the other client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -alias other-client -genkey -keyalg "RSA" 
-keysize 2048 -dname "CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ, 
L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass 
$STORE_PASS -alias other-client -certreq -file other-client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass 
$STORE_PASS -alias client-ca -gencert -rfc -infile other-client.csr -outfile 
other-client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext 
san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt 
-noprompt
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass 
$STORE_PASS -keypass $KEY_PASS -importcert -alias other-client -file 
other-client.crt
+
+keytool -importkeystore -srckeystore other-client-keystore.p12 -destkeystore 
other-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks 
-srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-client-keystore.p12 -destkeystore 
other-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass 
securepass -deststorepass securepass

Review comment:
       I would actually change the tests then, theres basically no need to run 
all those combinations. If the full suite wasted a little less time where 
easily possible (like here), it might not take so ridiculously long to run that 
important changes are made without running them (as clearly just happened on 
another PR).
   
   Files can be added later when they are actually needed, no need to keep 
around unused files. Though again, I see no reason the fully-unused ones would 
ever actually be needed, using them implies time wasting. However, being able 
to easily regenerate things when needed is part of the argument to use a script 
to create them (Though this case is so trivial you wouldnt even need to 
regenerate the rest, you could import the same keys to the new store with the 
command being added to the script) 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 633362)
    Time Spent: 2h 40m  (was: 2.5h)

> The verifyHost parameter default value should be changed
> --------------------------------------------------------
>
>                 Key: ARTEMIS-3367
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3367
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Configuration
>    Affects Versions: 2.17.0
>            Reporter: Emmanuel Hugonnet
>            Assignee: Domenico Francesco Bruscino
>            Priority: Major
>          Time Spent: 2h 40m
>  Remaining Estimate: 0h
>
> Currently the acceptor/connector *verifyHost* parameter is set to 'false' per 
> default. We should provide a better out of the box experience by setting it 
> to true per default for connectors.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to