英文:
Revoking a certificate from ActiveMQ's truststore doesn't work
问题
我有一个在Debian Docker容器(Kubernetes)中使用Java 8的Apache ActiveMQ 5.16.3的实例。
它被配置为在/opt/activemq/conf/activemq.xml中使用相互SSL:
<sslContext>
<sslContext
keyStore="/etc/data/my-bridge-broker.ks"
keyStorePassword="my-pass"
trustStore="/etc/data/broker_to_client.ts"
trustStorePassword="my-pass"
/>
</sslContext>
<!--- ... --->
<transportConnectors>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2&transport.needClientAuth=true"/>
</transportConnectors>
相互SSL正常工作,我能够从示例Java客户端连接,使用ActiveMQSslConnectionFactory提供适当的证书在信任库和密钥库以及密码中。
接下来,在代理运行时,我从服务器的信任库中删除了客户端的证书别名:
cd /etc/data
keytool -delete -alias <client-cert-name> -keystore broker_to_client.ts -storepass my-pass
令人惊讶的是,客户端仍然能够连接。我重新启动了服务器,客户端仍然可以连接并将消息发布到队列。有什么想法吗?我以为信任库定义了哪些客户端证书将被允许?
查看文档,他们建议使用证书吊销列表(CRL)或在线证书状态协议(OCSP)。他们没有提到从信任库中删除的选项。这是否意味着ActiveMQ不使用信任库文件?
英文:
I have an instance of Apache ActiveMQ 5.16.3 with Java 8 in a Debian Docker container (Kubernetes).
It's configured to use mutual SSL in /opt/activemq/conf/activemq.xml:
<sslContext>
<sslContext
keyStore="/etc/data/my-bridge-broker.ks"
keyStorePassword="my-pass"
trustStore="/etc/data/broker_to_client.ts"
trustStorePassword="my-pass"
/>
</sslContext>
<!--- ... --->
<transportConnectors>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2&amp;transport.needClientAuth=true"/>
</transportConnectors>
The mutual SSL works properly, and I am able to connect from a sample Java client, using ActiveMQSslConnectionFactory providing the appropriate certificates in the truststore and keystore and passwords.
Next, while the broker was running I removed the client's certificate by its alias from the server's trust store:
cd /etc/data
keytool -delete -alias <client-cert-name> -keystore broker_to_client.ts -storepass my-pass
Surprisingly, the client is still able to connect. I restarted the server and the client can still connect and post messages on the queues. Any idea why? I thought the truststore defines which client certificates will be allowed?
Looking at the documentation they recommend using Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP). They don't mention the option to remove from the truststore. Does this mean ActiveMQ doesn't use the truststore file?
答案1
得分: 1
如果客户端的证书由受信任的机构颁发,那么无论经纪人的信任库中是否包含该证书,客户端的证书仍然会受到信任,因为它来自一个“受信任”的机构。经纪人的信任库仅用于包括来自不受信任的机构或自签名的证书。
英文:
If the client's certificate is issued from a trusted authority then it doesn't matter if the it's in the broker's truststore. The client's certificate will still be trusted because it's from a trusted authority. The broker's truststore is only there to include certificates that come from an untrusted authority or are self-signed.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论