You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Justin Bertram (JIRA)" <ji...@apache.org> on 2016/08/10 21:00:23 UTC

[jira] [Commented] (ARTEMIS-656) Artemis does not seem to check the hostname on SSL / TLS connect

    [ https://issues.apache.org/jira/browse/ARTEMIS-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416005#comment-15416005 ] 

Justin Bertram commented on ARTEMIS-656:
----------------------------------------

I believe it's true that Artemis doesn't currently do hostname verification for SSL/TLS connections, and I aim to correct that.  However, I'm a bit confused by the description.

It says, "Artemis doesn't configure a trust manager when connecting bridges..."  As I understand it, bridge connections are treated just like any other client connection which connects to a Netty acceptor and a trust manager will be created for that acceptor assuming the it was configured with a valid trustStorePath and trustStorePassword.  The same is true for the Netty connector which the bridge uses.  Is this what you're talking about?  In any case, I'm not clear on how the trust manager relates to hostname verification.

Also, I don't understand the phrase, "...there's no attempt to verify that the hostname of the target broker matches the one that triggered the connection."  Unless I'm thinking about this wrong, the name of the host that triggers the connection will always be different from the name of host of the target broker unless the two are actually running on the same host (which would be unusual).  Therefore, they shouldn't match.  Right?

> Artemis does not seem to check the hostname on SSL / TLS connect
> ----------------------------------------------------------------
>
>                 Key: ARTEMIS-656
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-656
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Mike Hearn
>            Assignee: Justin Bertram
>
> (I am reporting this second hand, please let me know if this bug report doesn't sound right).
> Artemis doesn't configure a trust manager when connecting bridges, so there's no attempt to verify that the hostname of the target broker matches the one that triggered the connection. An example fix might be
> sslparameters.setEndpointIdentificationAlgorithm("HTTPS")
> and then pass the hostname/port into the SSLEngine constructor.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)