https://issues.apache.org/jira/browse/AMQ-6118 - CRL Checking via OCSP

activemq-spring/src/main/java/org/apache/activemq/spring/SpringSslContext.java

@@ -21,6 +21,7 @@ import java.net.MalformedURLException;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.Security;
 import java.security.cert.*;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -93,27 +94,25 @@ public class SpringSslContext extends SslContext {
     }
 
     private Collection<TrustManager> createTrustManagers() throws Exception {
+        boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable"));
+
         KeyStore ks = createTrustManagerKeyStore();
         if( ks ==null ) {
             return new ArrayList<TrustManager>(0);
         }
         TrustManagerFactory tmf  = TrustManagerFactory.getInstance(trustStoreAlgorithm);
         boolean initialized = false;
-        if (crlPath != null) {
-            if (trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
+        if ((ocsp || crlPath != null) && trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
+            PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, new X509CertSelector());
+            if (crlPath != null) {
+                pkixParams.setRevocationEnabled(true);
                 Collection<? extends CRL> crlList = loadCRL();
-
                 if (crlList != null) {
-                    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, null);
-                    pkixParams.setRevocationEnabled(true);
                     pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
-                    tmf.init(new CertPathTrustManagerParameters(pkixParams));
-                    initialized = true;
                 }
-
-            } else {
-                LOG.warn("Revocation checking is only supported with 'trustStoreAlgorithm=\"PKIX\"'. Ignoring CRL: " + crlPath);
             }
+            tmf.init(new CertPathTrustManagerParameters(pkixParams));
+            initialized = true;
         }
 
         if (!initialized) {

assembly/src/release/bin/env

@@ -82,8 +82,10 @@ if [ -z "$ACTIVEMQ_QUEUEMANAGERURL" ]; then
 fi
 
 # Set additional JSE arguments
-#ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true -Docsp.enable=true -Docsp.responderURL=http://ocsp.example.net:80"
-ACTIVEMQ_SSL_OPTS=""
+if [ -z "$ACTIVEMQ_SSL_OPTS" ] ; then
+    #ACTIVEMQ_SSL_OPTS="-Djava.security.properties=$ACTIVEMQ_CONF/java.security"
+    ACTIVEMQ_SSL_OPTS=""
+fi
 
 # Uncomment to enable remote debugging
 #ACTIVEMQ_DEBUG_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"

assembly/src/release/conf/java.security

@@ -0,0 +1,19 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+ocsp.enable=true
+ocsp.responderURL=http://ocsp.example.net:80