On Jan 3, 2012, at 3:14 AM, Dejan Bosanac wrote: > Hi Jason, > > maybe the best way to start is to create "programatically configured" version > of NIOSSLTransportBrokerTest and attach it to Jira.
Depends, is the ExtBrokerService.createSsslTransportServer() example below the correct/expect method to configure the SslContext for use by the nio+ssl transport? If its not... then I have no idea how to configure the ssl details for nio+ssl and thus it would be pointless to create a test. If it is then I can certainly abstract out my local test into something consumable by the public. I did however ask a few questions in this email... which would be very helpful to have answers to in order to create an appropriate test. Is the author of the nio+ssl transport not around the help answer some of them? --jason > Regards > -- > Dejan Bosanac - http://twitter.com/dejanb > ----------------- > The experts in open source integration and messaging - http://fusesource.com > ActiveMQ in Action - http://www.manning.com/snyder/ > Blog - http://www.nighttale.net > > > On Fri, Dec 30, 2011 at 10:46 AM, Jason Dillon <ja...@planet57.com> wrote: > Has anyone tried using the nio+ssl transport w/programatic keystore and trust > store configuration similar to using SslBrokerService.addSslConnector(String, > KeyManager[], TrustManager[], SecureRandom)? > > I tried configuring the transport similarly in an extension: > > <snip> > public class ExtBrokerService > extends SslBrokerService > { > @Override > protected TransportServer createSslTransportServer(final URI brokerURI, > final KeyManager[] km, final TrustManager[] tm, final SecureRandom random) > throws IOException, KeyManagementException > { > if (brokerURI.getScheme().equals("ssl")) { //NON-NLS > SslTransportFactory transportFactory = new SslTransportFactory(); > SslContext ctx = new SslContext(km, tm, random); > SslContext.setCurrentSslContext(ctx); > try { > return transportFactory.doBind(brokerURI); > } > finally { > SslContext.setCurrentSslContext(null); > } > } > else if (brokerURI.getScheme().equals("nio+ssl")) { //NON-NLS > SslContext ctx = new SslContext(km, tm, random); > SslContext.setCurrentSslContext(ctx); > NIOSSLTransportFactory transportFactory = new > NIOSSLTransportFactory(); > try { > return transportFactory.doBind(brokerURI); > } > finally { > SslContext.setCurrentSslContext(null); > } > } > else { > return TransportFactory.bind(this, brokerURI); > } > } > } > </snip> > > And then configuring with: > > <snip> > ExtBrokerService brokerService = new ExtBrokerService(); > TransportConnector connector = > brokerService.addSslConnector("nio+ssl://0.0.0.0:0?needClientAuth=true", > keyStoreManager.getKeyManagers(), > keyStoreManager.getTrustManagers(), new SecureRandom()); > </snip> > > This does appear to start up the transport using nio+ssl. I've confirmed > that the overridden createSslTransportServer() is getting called and is using > the "nio+ssl" logic branch. > > Its unclear if the needClientAuth bits are getting configured however, since > its difficult to inspect vs using the ssl transport via > ((SslTransportServer)connector.getServer()).getNeedClientAuth(). > > Testing with a ssl:// client connection configured with the appropriate > {key|trust}stores fails, complaining about "no cipher suites in common". > Some of the ssl debug output shows: > > <snip> > ... > ActiveMQ Task-1, READ: SSL v2, contentType = Handshake, translated length = > 113 > *** ClientHello, TLSv1 > RandomCookie: GMT: 1308393557 bytes = { 81, 129, 30, 234, 206, 134, 210, > 218, 170, 130, 85, 15, 37, 247, 89, 189, 135, 213, 205, 15, 19, 38, 77, 90, > 224, 246, 175, 61 } > Session ID: {} > Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, > SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, > SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, > SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, > TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > Compression Methods: { 0 } > *** > ActiveMQ Task-2, fatal error: 40: no cipher suites in common > javax.net.ssl.SSLHandshakeException: no cipher suites in common > ActiveMQ Task-2, SEND TLSv1 ALERT: fatal, description = handshake_failure > ActiveMQ Task-2, WRITE: TLSv1 Alert, length = 2 > ActiveMQ Task-1, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: no cipher suites in common > ... > </snip> > > Running the *exact same test* changing only the brokers transport scheme from > "nio+ssl" to "ssl" and the ssl connection is established correctly and the > test behaves as expected wrt clientAuth, etc. > > I was digging around a little, and I'm not really sure if this is correct... > but it does not look like the nio+ssl transport server is getting the ssl > serversocketfactory instead which > NIOSSLTransportFActory.createSocketFactory() should be returning. Actually > when running the tests above I don't see that method called at all. I also > dropped a breakpoint at NIOSSLTransportFactory:51 > > > > ( > https://skitch.com/jasondillon/gw6ft/nio-ssl-w-programatic-key-trust-store-configuration > ) > > And then started to inspect the variables in scope, and it looks like the > serverSocketFactory instance given is from > NIOTransportFactory.createServerSocketFactory() return: > > > > ( > https://skitch.com/jasondillon/gw6fu/nio-ssl-w-programatic-key-trust-store-configuration > ) > > SSL makes my head want to explode some times. The NIO transport code and the > SSL version of it is a little more complex to follow how its supposed to work > vs. the SSL layer on-top of the TCP transport. > > Anyways, I'm not sure if the socket factory is an issue here or not, but it > could be related? I'm also guessing that programatic access using nio+ssl > hasn't been used that muck since the SslBrokerFactory has not been updated to > deal with setting the SslContext for nio+ssl scheme (as shown in > ExtBrokerService above)? > > The NIOSSLTransportBrokerTest appears to pass: > > <snip> > ------------------------------------------------------- > T E S T S > ------------------------------------------------------- > > Running org.apache.activemq.transport.nio.NIOSSLTransportBrokerTest > Tests run: 129, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 261.187 sec > </snip> > > ... so I'm guessing that configuring the trust/keystore bits work okay when > configuration them globally via javax.net.ssl.* properties? > > * * * > > Does anyone have any idea what might be going on here which would cause "no > cipher suites in common" errors when using "nio+ssl" when "ssl" works just > fine? > > Thanks, > > --jason > > >