Repository: activemq Updated Branches: refs/heads/master b488df694 -> 69fad2a13
Add support for hostname verification Project: http://git-wip-us.apache.org/repos/asf/activemq/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq/commit/69fad2a1 Tree: http://git-wip-us.apache.org/repos/asf/activemq/tree/69fad2a1 Diff: http://git-wip-us.apache.org/repos/asf/activemq/diff/69fad2a1 Branch: refs/heads/master Commit: 69fad2a135689f6c31fbada1c397f2e0dfd90d3c Parents: b488df6 Author: Christopher L. Shannon (cshannon) <christopher.l.shan...@gmail.com> Authored: Tue Aug 21 09:05:42 2018 -0400 Committer: Christopher L. Shannon (cshannon) <christopher.l.shan...@gmail.com> Committed: Fri Aug 31 06:39:49 2018 -0400 ---------------------------------------------------------------------- .../transport/amqp/AmqpTestSupport.java | 4 +- .../amqp/auto/JMSClientAutoSslAuthTest.java | 2 +- .../transport/nio/AutoInitNioSSLTransport.java | 7 ++++ .../activemq/transport/nio/NIOSSLTransport.java | 16 ++++++++ .../activemq/transport/tcp/SslTransport.java | 40 ++++++++++++++++++++ .../transport/tcp/SslTransportServer.java | 2 + .../activemq/transport/tcp/TcpTransport.java | 3 +- .../transport/tcp/TcpTransportServer.java | 13 +++++++ .../mqtt/auto/MQTTAutoSslAuthTest.java | 2 +- .../transport/stomp/StompSslAuthTest.java | 6 +-- .../stomp/auto/StompAutoSslAuthTest.java | 2 +- .../org/apache/activemq/bugs/AMQ4126Test.java | 2 +- .../org/apache/activemq/bugs/AMQ6599Test.java | 2 +- .../network/NetworkReconnectSslNioTest.java | 4 +- .../transport/auto/AutoSslAuthTest.java | 4 +- .../auto/AutoTransportConnectionsTest.java | 6 +++ .../activemq/transport/nio/NIOSSLBasicTest.java | 33 ++++++++++++---- .../activemq/transport/nio/NIOSSLLoadTest.java | 3 +- .../transport/nio/NIOSSLWindowSizeTest.java | 20 +++++----- .../transport/tcp/SslTransportFactoryTest.java | 8 ++++ ...InconsistentConnectorPropertiesBehaviour.xml | 12 +++--- .../bugs/amq4126/JaasStompSSLBroker.xml | 8 ++-- .../JaasDualAuthenticationNetworkBridge.xml | 2 +- ...aasDualAuthenticationNetworkBridgeNioSsl.xml | 2 +- 24 files changed, 157 insertions(+), 46 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java ---------------------------------------------------------------------- diff --git a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java index 69d1998..8fb26f2 100644 --- a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java +++ b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java @@ -185,7 +185,7 @@ public class AmqpTestSupport { } if (isUseSslConnector()) { connector = brokerService.addConnector( - "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig()); + "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig()); amqpSslPort = connector.getConnectUri().getPort(); amqpSslURI = connector.getPublishableConnectURI(); LOG.debug("Using amqp+ssl port " + amqpSslPort); @@ -199,7 +199,7 @@ public class AmqpTestSupport { } if (isUseNioPlusSslConnector()) { connector = brokerService.addConnector( - "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig()); + "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig()); amqpNioPlusSslPort = connector.getConnectUri().getPort(); amqpNioPlusSslURI = connector.getPublishableConnectURI(); LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort); http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java ---------------------------------------------------------------------- diff --git a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java index 40c1eb3..d611ee6 100644 --- a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java +++ b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java @@ -79,7 +79,7 @@ public class JMSClientAutoSslAuthTest extends JMSClientTestSupport { @Override protected String getAdditionalConfig() { - return "?transport.needClientAuth=true"; + return "?transport.needClientAuth=true&transport.verifyHostName=false"; } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java ---------------------------------------------------------------------- diff --git a/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java b/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java index 449c7ae..9301b65 100644 --- a/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java +++ b/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java @@ -30,6 +30,7 @@ import javax.net.SocketFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; +import javax.net.ssl.SSLParameters; import org.apache.activemq.thread.TaskRunnerFactory; import org.apache.activemq.util.IOExceptionSupport; @@ -89,6 +90,12 @@ public class AutoInitNioSSLTransport extends NIOSSLTransport { sslEngine = sslContext.createSSLEngine(); } + if (verifyHostName) { + SSLParameters sslParams = new SSLParameters(); + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + sslEngine.setSSLParameters(sslParams); + } + sslEngine.setUseClientMode(false); if (enabledCipherSuites != null) { sslEngine.setEnabledCipherSuites(enabledCipherSuites); http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java ---------------------------------------------------------------------- diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java index 64e96be..74aa342 100644 --- a/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java +++ b/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java @@ -36,6 +36,7 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLEngineResult.HandshakeStatus; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; @@ -56,6 +57,7 @@ public class NIOSSLTransport extends NIOTransport { protected boolean wantClientAuth; protected String[] enabledCipherSuites; protected String[] enabledProtocols; + protected boolean verifyHostName = true; protected SSLContext sslContext; protected SSLEngine sslEngine; @@ -119,6 +121,12 @@ public class NIOSSLTransport extends NIOTransport { sslEngine = sslContext.createSSLEngine(); } + if (verifyHostName) { + SSLParameters sslParams = new SSLParameters(); + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + sslEngine.setSSLParameters(sslParams); + } + sslEngine.setUseClientMode(false); if (enabledCipherSuites != null) { sslEngine.setEnabledCipherSuites(enabledCipherSuites); @@ -543,4 +551,12 @@ public class NIOSSLTransport extends NIOTransport { public void setEnabledProtocols(String[] enabledProtocols) { this.enabledProtocols = enabledProtocols; } + + public boolean isVerifyHostName() { + return verifyHostName; + } + + public void setVerifyHostName(boolean verifyHostName) { + this.verifyHostName = verifyHostName; + } } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java ---------------------------------------------------------------------- diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java index 0c2fab9..91ba42c 100644 --- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java +++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java @@ -17,11 +17,14 @@ package org.apache.activemq.transport.tcp; import java.io.IOException; +import java.net.Socket; +import java.net.SocketException; import java.net.URI; import java.net.UnknownHostException; import java.security.cert.X509Certificate; import java.util.HashMap; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -43,6 +46,8 @@ import org.apache.activemq.wireformat.WireFormat; */ public class SslTransport extends TcpTransport { + private Boolean verifyHostName = null; + /** * Connect to a remote node such as a Broker. * @@ -73,6 +78,37 @@ public class SslTransport extends TcpTransport { } } + @Override + protected void initialiseSocket(Socket sock) throws SocketException, IllegalArgumentException { + //This needs to default to null because this transport class is used for both a server transport + //and a client connection and if we default it to a value it might override the transport server setting + //that was configured inside TcpTransportServer + + //The idea here is that if this is a server transport then verifyHostName will be set by the setter + //below and not be null (if using transport.verifyHostName) but if a client uses socket.verifyHostName + //then it will be null and we can check socketOptions + + //Unfortunately we have to do this to stay consistent because every other SSL option on the client + //side is configured using socket. but this particular option isn't actually part of the socket + //so it makes it tricky + if (verifyHostName == null) { + if (socketOptions != null && socketOptions.containsKey("verifyHostName")) { + verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString()); + socketOptions.remove("verifyHostName"); + } else { + verifyHostName = true; + } + } + + if (verifyHostName) { + SSLParameters sslParams = new SSLParameters(); + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + ((SSLSocket)this.socket).setSSLParameters(sslParams); + } + + super.initialiseSocket(sock); + } + /** * Initialize from a ServerSocket. No access to needClientAuth is given * since it is already set within the provided socket. @@ -108,6 +144,10 @@ public class SslTransport extends TcpTransport { super.doConsume(command); } + public void setVerifyHostName(Boolean verifyHostName) { + this.verifyHostName = verifyHostName; + } + /** * @return peer certificate chain associated with the ssl socket */ http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java ---------------------------------------------------------------------- diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java index bfd6318..5106e4f 100644 --- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java +++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java @@ -100,6 +100,7 @@ public class SslTransportServer extends TcpTransportServer { * * @throws IOException passed up from TcpTransportServer. */ + @Override public void bind() throws IOException { super.bind(); if (needClientAuth) { @@ -119,6 +120,7 @@ public class SslTransportServer extends TcpTransportServer { * @return The newly return (SSL) Transport. * @throws IOException */ + @Override protected Transport createTransport(Socket socket, WireFormat format) throws IOException { return new SslTransport(format, (SSLSocket)socket); } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java ---------------------------------------------------------------------- diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java index 04d1636..e85cbaf 100644 --- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java +++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java @@ -133,7 +133,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S protected final AtomicReference<CountDownLatch> stoppedLatch = new AtomicReference<CountDownLatch>(); protected volatile int receiveCounter; - private Map<String, Object> socketOptions; + protected Map<String, Object> socketOptions; private int soLinger = Integer.MIN_VALUE; private Boolean keepAlive; private Boolean tcpNoDelay; @@ -751,6 +751,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S return true; } + @Override public WireFormat getWireFormat() { return wireFormat; } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java ---------------------------------------------------------------------- diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java index 6f3651f..61aec1d 100644 --- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java +++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java @@ -40,6 +40,7 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; import javax.net.ServerSocketFactory; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLServerSocket; import org.apache.activemq.Service; @@ -79,6 +80,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements protected int minmumWireFormatVersion; protected boolean useQueueForAccept = true; protected boolean allowLinkStealing; + protected boolean verifyHostName = true; /** * trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer @@ -172,6 +174,16 @@ public class TcpTransportServer extends TransportServerThreadSupport implements // see: https://issues.apache.org/jira/browse/AMQ-4582 // if (socket instanceof SSLServerSocket) { + if (transportOptions.containsKey("verifyHostName")) { + verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString()); + } + + if (verifyHostName) { + SSLParameters sslParams = new SSLParameters(); + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + ((SSLServerSocket)this.serverSocket).setSSLParameters(sslParams); + } + if (transportOptions.containsKey("enabledCipherSuites")) { Object cipherSuites = transportOptions.remove("enabledCipherSuites"); @@ -180,6 +192,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements "Invalid transport options {enabledCipherSuites=%s}", cipherSuites)); } } + } //AMQ-6599 - don't strip out set properties on the socket as we need to set them http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java ---------------------------------------------------------------------- diff --git a/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java b/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java index 4fae9c4..3fb67a4 100644 --- a/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java +++ b/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java @@ -55,7 +55,7 @@ public class MQTTAutoSslAuthTest extends MQTTTestSupport { */ public MQTTAutoSslAuthTest(String protocol) { this.protocol = protocol; - protocolConfig = "transport.needClientAuth=true"; + protocolConfig = "transport.needClientAuth=true&transport.verifyHostName=false&"; } @Override http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java ---------------------------------------------------------------------- diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java index 9b4d1c4..d295dfb 100644 --- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java +++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java @@ -54,13 +54,13 @@ public class StompSslAuthTest extends StompTest { @Override public void addOpenWireConnector() throws Exception { - TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?needClientAuth=true"); - cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString()); + TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false"); + cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false"); } @Override protected String getAdditionalConfig() { - return "?needClientAuth=true"; + return "?needClientAuth=true&transport.verifyHostName=false"; } // NOOP - These operations handled by jaas cert login module http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java ---------------------------------------------------------------------- diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java index f878cf2..20f5edb 100644 --- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java +++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java @@ -102,7 +102,7 @@ public class StompAutoSslAuthTest extends StompTestSupport { @Override protected String getAdditionalConfig() { - return "?transport.needClientAuth=true"; + return "?transport.needClientAuth=true&transport.verifyHostName=false"; } @Override http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java index 4d6d39c..60245f0 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java @@ -121,7 +121,7 @@ public class AMQ4126Test { public void openwireConnectTo(String connectorName, String username, String password) throws Exception { URI brokerURI = broker.getConnectorByName(connectorName).getConnectUri(); - String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort(); + String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort() + "?socket.verifyHostName=false"; ActiveMQSslConnectionFactory cf = new ActiveMQSslConnectionFactory(uri); cf.setTrustStore("org/apache/activemq/security/broker1.ks"); cf.setTrustStorePassword("password"); http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java index 72c9b88..3de3ee9 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java @@ -71,7 +71,7 @@ public class AMQ6599Test { brokerService.setPersistent(false); TransportConnector connector = brokerService.addConnector(protocol + - "://localhost:0?transport.soTimeout=3500"); + "://localhost:0?transport.soTimeout=3500&transport.verifyHostName=false"); connector.setName("connector"); uri = connector.getPublishableConnectString(); http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java index 0c3b1ed..b97fdcf 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java @@ -47,14 +47,14 @@ public class NetworkReconnectSslNioTest { remote.setSslContext(sslContext); remote.setUseJmx(false); remote.setPersistent(false); - final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0"); + final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0?transport.verifyHostName=false"); remote.start(); BrokerService local = new BrokerService(); local.setSslContext(sslContext); local.setUseJmx(false); local.setPersistent(false); - final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + ")?useExponentialBackOff=false&initialReconnectDelay=10"); + final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + "?socket.verifyHostName=false" + ")?useExponentialBackOff=false&initialReconnectDelay=10"); local.start(); assertTrue("Bridge created", Wait.waitFor(new Wait.Condition() { http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java index be6043b..f24620d 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java @@ -75,7 +75,7 @@ public class AutoSslAuthTest { BrokerService brokerService = new BrokerService(); brokerService.setPersistent(false); - TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true"); + TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false"); connector.setName("auto"); uri = connector.getPublishableConnectString(); @@ -126,7 +126,7 @@ public class AutoSslAuthTest { @Test(timeout = 60000) public void testConnect() throws Exception { ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(); - factory.setBrokerURL(uri); + factory.setBrokerURL(uri + "?socket.verifyHostName=false"); //Create 5 connections to make sure all are properly set for (int i = 0; i < 5; i++) { http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java index 02a72cf..1de13ac 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java @@ -103,8 +103,14 @@ public class AutoTransportConnectionsTest { } public void configureConnectorAndStart(String bindAddress) throws Exception { + if (bindAddress.contains("ssl")) { + bindAddress += bindAddress.contains("?") ? "&transport.verifyHostName=false" : "?transport.verifyHostName=false"; + } connector = service.addConnector(bindAddress); connectionUri = connector.getPublishableConnectString(); + if (connectionUri.contains("ssl")) { + connectionUri += connectionUri.contains("?") ? "&socket.verifyHostName=false" : "?socket.verifyHostName=false"; + } service.start(); service.waitUntilStarted(); } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java index 473d785..d9ea3ae 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java @@ -17,14 +17,14 @@ package org.apache.activemq.transport.nio; import javax.jms.Connection; +import javax.jms.JMSException; import javax.jms.Message; import javax.jms.MessageConsumer; import javax.jms.MessageProducer; import javax.jms.Queue; import javax.jms.Session; import javax.jms.TextMessage; - -import junit.framework.TestCase; +import javax.net.ssl.SSLHandshakeException; import org.apache.activemq.ActiveMQConnectionFactory; import org.apache.activemq.broker.BrokerService; @@ -33,6 +33,8 @@ import org.junit.After; import org.junit.Before; import org.junit.Test; +import junit.framework.TestCase; + public class NIOSSLBasicTest { public static final String KEYSTORE_TYPE = "jks"; @@ -78,25 +80,40 @@ public class NIOSSLBasicTest { @Test public void basicConnector() throws Exception { - BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true"); - basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort()); + BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false"); + basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false"); stopBroker(broker); } @Test public void enabledCipherSuites() throws Exception { - BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"); - basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort()); + BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256&transport.verifyHostName=false"); + basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false"); stopBroker(broker); } @Test public void enabledProtocols() throws Exception { - BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"); - basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort()); + BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.verifyHostName=false"); + basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false"); stopBroker(broker); } + //Client/server is missing verifyHostName=false so it should fail as cert doesn't have right host name + @Test(expected = Exception.class) + public void verifyHostNameError() throws Exception { + BrokerService broker = null; + try { + broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true"); + basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort()); + } finally { + if (broker != null) { + stopBroker(broker); + } + } + } + + public void basicSendReceive(String uri) throws Exception { ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri); Connection connection = factory.createConnection(); http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java index 4751c9f..4a92d66 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java @@ -74,7 +74,7 @@ public class NIOSSLLoadTest { broker = new BrokerService(); broker.setPersistent(false); broker.setUseJmx(false); - connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"); + connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256"); broker.start(); broker.waitUntilStarted(); @@ -113,6 +113,7 @@ public class NIOSSLLoadTest { } Wait.waitFor(new Wait.Condition() { + @Override public boolean isSatisified() throws Exception { return getReceived() == PRODUCER_COUNT * MESSAGE_COUNT; } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java index 17cdc41..e92b4fe 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java @@ -30,11 +30,11 @@ import javax.jms.Session; @SuppressWarnings("javadoc") public class NIOSSLWindowSizeTest extends TestCase { - + BrokerService broker; Connection connection; Session session; - + public static final String KEYSTORE_TYPE = "jks"; public static final String PASSWORD = "password"; public static final String SERVER_KEYSTORE = "src/test/resources/server.keystore"; @@ -46,7 +46,7 @@ public class NIOSSLWindowSizeTest extends TestCase { public static final int MESSAGE_SIZE = 65536; byte[] messageData; - + @Override protected void setUp() throws Exception { System.setProperty("javax.net.ssl.trustStore", TRUST_KEYSTORE); @@ -59,19 +59,19 @@ public class NIOSSLWindowSizeTest extends TestCase { broker = new BrokerService(); broker.setPersistent(false); broker.setUseJmx(false); - TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true"); + TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false"); broker.start(); broker.waitUntilStarted(); - + messageData = new byte[MESSAGE_SIZE]; for (int i = 0; i < MESSAGE_SIZE; i++) { messageData[i] = (byte) (i & 0xff); } - + ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("nio+ssl://localhost:" + connector.getConnectUri().getPort()); connection = factory.createConnection(); - session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); connection.start(); } @@ -100,14 +100,14 @@ public class NIOSSLWindowSizeTest extends TestCase { prod.send(msg); } finally { prod.close(); - } + } MessageConsumer cons = null; - try + try { cons = session.createConsumer(dest); assertNotNull(cons.receive(30000L)); } finally { cons.close(); - } + } } } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java index af9d672..cfe1f25 100644 --- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java +++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java @@ -33,10 +33,12 @@ public class SslTransportFactoryTest extends TestCase { private SslTransportFactory factory; private boolean verbose; + @Override protected void setUp() throws Exception { factory = new SslTransportFactory(); } + @Override protected void tearDown() throws Exception { super.tearDown(); } @@ -96,6 +98,12 @@ public class SslTransportFactoryTest extends TestCase { // -1 since the option range is [-1,1], not [0,2]. optionSettings[j] = getMthNaryDigit(i, j, 3) - 1; + //We now always set options to a default we default verifyHostName to true + //so we setSSLParameters so make the not set value = 0 + if (optionSettings[j] == -1) { + optionSettings[j] = 0; + } + if (optionSettings[j] != -1) { options.put(optionNames[j], optionSettings[j] == 1 ? "true" : "false"); } http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml index c672f6d..0241f67 100644 --- a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml +++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml @@ -36,12 +36,12 @@ </sslContext> <transportConnectors> - <transportConnector name="stomp+ssl+special" uri="stomp+ssl://0.0.0.0:0?needClientAuth=true" /> - <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" /> - <transportConnector name="stomp+nio+ssl+special" uri="stomp+nio+ssl://0.0.0.0:0?needClientAuth=true" /> - <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" /> - <transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:0?transport.needClientAuth=true" /> - <transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" /> + <transportConnector name="stomp+ssl+special" uri="stomp+ssl://0.0.0.0:0?needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="stomp+nio+ssl+special" uri="stomp+nio+ssl://0.0.0.0:0?needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> </transportConnectors> </broker> http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml index 70af5fa..3778173 100644 --- a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml +++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml @@ -36,10 +36,10 @@ </sslContext> <transportConnectors> - <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" /> - <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" /> - <transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true" /> - <transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true" /> + <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> + <transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" /> </transportConnectors> </broker> http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml index faae4db..e2eddb9 100644 --- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml +++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml @@ -171,7 +171,7 @@ </systemUsage> <transportConnectors> - <transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true"/> + <transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true&transport.verifyHostName=false"/> </transportConnectors> </broker> </beans> http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml ---------------------------------------------------------------------- diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml index 9e5e7d1..eb3d2fd 100644 --- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml +++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml @@ -171,7 +171,7 @@ </systemUsage> <transportConnectors> - <transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true"/> + <transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true&transport.verifyHostName=false"/> </transportConnectors> </broker> </beans>