This commit is contained in:
Dejan Bosanac 2016-04-01 13:07:09 +02:00
parent a9a1498d27
commit 993d561947
3 changed files with 32 additions and 12 deletions

View File

@ -21,6 +21,7 @@ import java.net.MalformedURLException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.*;
import java.util.ArrayList;
import java.util.Arrays;
@ -93,27 +94,25 @@ public class SpringSslContext extends SslContext {
}
private Collection<TrustManager> createTrustManagers() throws Exception {
boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable"));
KeyStore ks = createTrustManagerKeyStore();
if( ks ==null ) {
return new ArrayList<TrustManager>(0);
}
TrustManagerFactory tmf = TrustManagerFactory.getInstance(trustStoreAlgorithm);
boolean initialized = false;
if (crlPath != null) {
if (trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
if ((ocsp || crlPath != null) && trustStoreAlgorithm.equalsIgnoreCase("PKIX")) {
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, new X509CertSelector());
if (crlPath != null) {
pkixParams.setRevocationEnabled(true);
Collection<? extends CRL> crlList = loadCRL();
if (crlList != null) {
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ks, null);
pkixParams.setRevocationEnabled(true);
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
tmf.init(new CertPathTrustManagerParameters(pkixParams));
initialized = true;
}
} else {
LOG.warn("Revocation checking is only supported with 'trustStoreAlgorithm=\"PKIX\"'. Ignoring CRL: " + crlPath);
}
tmf.init(new CertPathTrustManagerParameters(pkixParams));
initialized = true;
}
if (!initialized) {

View File

@ -82,8 +82,10 @@ if [ -z "$ACTIVEMQ_QUEUEMANAGERURL" ]; then
fi
# Set additional JSE arguments
#ACTIVEMQ_SSL_OPTS="-Dcom.sun.security.enableCRLDP=true -Docsp.enable=true -Docsp.responderURL=http://ocsp.example.net:80"
ACTIVEMQ_SSL_OPTS=""
if [ -z "$ACTIVEMQ_SSL_OPTS" ] ; then
#ACTIVEMQ_SSL_OPTS="-Djava.security.properties=$ACTIVEMQ_CONF/java.security"
ACTIVEMQ_SSL_OPTS=""
fi
# Uncomment to enable remote debugging
#ACTIVEMQ_DEBUG_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"

View File

@ -0,0 +1,19 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
ocsp.enable=true
ocsp.responderURL=http://ocsp.example.net:80