You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2014/08/07 02:20:24 UTC
svn commit: r1616378 - in /qpid/trunk/qpid: doc/book/src/jms-client-0-8/
java/client/src/main/java/org/apache/qpid/client/
java/client/src/test/java/org/apache/qpid/test/unit/client/BrokerDetails/
java/common/src/main/java/org/apache/qpid/configuration...
Author: orudyy
Date: Thu Aug 7 00:20:24 2014
New Revision: 1616378
URL: http://svn.apache.org/r1616378
Log:
QPID-5960: Turn on SSL host name verification by default
Modified:
qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml
qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-System-Properties.xml
qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java
qpid/trunk/qpid/java/client/src/test/java/org/apache/qpid/test/unit/client/BrokerDetails/BrokerDetailsTest.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/client/ssl/SSLTest.java
Modified: qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml?rev=1616378&r1=1616377&r2=1616378&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml (original)
+++ qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-Connection-URL.xml Thu Aug 7 00:20:24 2014
@@ -287,8 +287,9 @@
<row>
<entry> ssl_verify_hostname </entry>
<entry> Boolean </entry>
- <entry> When using SSL you can enable hostname verification by using
- <literal>ssl_verify_hostname='true'</literal> in the broker URL.
+ <entry> This option is used for turning on/off hostname verification when using SSL.
+ It is set to 'true' by default. You can disable verification by setting it to 'false':
+ <literal>ssl_verify_hostname='false'</literal>.
</entry>
</row>
<row id="JMS-Client-0-8-Connection-URL-BrokerOptions-Retries">
Modified: qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-System-Properties.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-System-Properties.xml?rev=1616378&r1=1616377&r2=1616378&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-System-Properties.xml (original)
+++ qpid/trunk/qpid/doc/book/src/jms-client-0-8/JMS-Client-System-Properties.xml Thu Aug 7 00:20:24 2014
@@ -78,6 +78,15 @@
exception. <para>Setting this property to 'true' will disable that check and
allow you to set a client ID of your choice later on.</para></entry>
</row>
+ <row>
+ <entry>qpid.connection_ssl_verify_hostname</entry>
+ <entry>boolean</entry>
+ <entry>true</entry>
+ <entry>This property is used to turn on/off broker host name verification on SSL negotiation
+ if SSL transport is used. It is set to 'true' by default.
+ <para>Setting this property to 'false' will disable that check and
+ allow you to ignore host name errors.</para></entry>
+ </row>
</tbody>
</tgroup>
</table>
Modified: qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java?rev=1616378&r1=1616377&r2=1616378&view=diff
==============================================================================
--- qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java (original)
+++ qpid/trunk/qpid/java/client/src/main/java/org/apache/qpid/client/AMQBrokerDetails.java Thu Aug 7 00:20:24 2014
@@ -20,6 +20,7 @@
*/
package org.apache.qpid.client;
+import org.apache.qpid.configuration.ClientProperties;
import org.apache.qpid.jms.BrokerDetails;
import org.apache.qpid.transport.ConnectionSettings;
import org.apache.qpid.url.URLHelper;
@@ -470,7 +471,10 @@ public class AMQBrokerDetails implements
}
// ----------------------------
- conSettings.setVerifyHostname(getBooleanProperty(BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME));
+ boolean defaultSSLVerifyHostName = Boolean.parseBoolean(
+ System.getProperty(ClientProperties.CONNECTION_OPTION_SSL_VERIFY_HOST_NAME,
+ String.valueOf(ClientProperties.DEFAULT_CONNECTION_OPTION_SSL_VERIFY_HOST_NAME)));
+ conSettings.setVerifyHostname(getBooleanProperty(BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME, defaultSSLVerifyHostName ));
if (getProperty(BrokerDetails.OPTIONS_TCP_NO_DELAY) != null)
{
Modified: qpid/trunk/qpid/java/client/src/test/java/org/apache/qpid/test/unit/client/BrokerDetails/BrokerDetailsTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/client/src/test/java/org/apache/qpid/test/unit/client/BrokerDetails/BrokerDetailsTest.java?rev=1616378&r1=1616377&r2=1616378&view=diff
==============================================================================
--- qpid/trunk/qpid/java/client/src/test/java/org/apache/qpid/test/unit/client/BrokerDetails/BrokerDetailsTest.java (original)
+++ qpid/trunk/qpid/java/client/src/test/java/org/apache/qpid/test/unit/client/BrokerDetails/BrokerDetailsTest.java Thu Aug 7 00:20:24 2014
@@ -20,14 +20,14 @@
*/
package org.apache.qpid.test.unit.client.BrokerDetails;
-import junit.framework.TestCase;
-
import org.apache.qpid.client.AMQBrokerDetails;
+import org.apache.qpid.configuration.ClientProperties;
import org.apache.qpid.jms.BrokerDetails;
+import org.apache.qpid.test.utils.QpidTestCase;
import org.apache.qpid.transport.ConnectionSettings;
import org.apache.qpid.url.URLSyntaxException;
-public class BrokerDetailsTest extends TestCase
+public class BrokerDetailsTest extends QpidTestCase
{
public void testDefaultTCP_NODELAY() throws URLSyntaxException
{
@@ -190,4 +190,38 @@ public class BrokerDetailsTest extends T
assertEquals(Integer.valueOf(60), broker.buildConnectionSettings().getHeartbeatInterval08());
}
+
+ public void testSslVerifyHostNameIsTurnedOnByDefault() throws Exception
+ {
+ String brokerURL = "tcp://localhost:5672?ssl='true'";
+ AMQBrokerDetails broker = new AMQBrokerDetails(brokerURL);
+ ConnectionSettings connectionSettings = broker.buildConnectionSettings();
+ assertTrue(String.format("Unexpected '%s' option value", BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME),
+ connectionSettings.isVerifyHostname());
+ assertNull(String.format("Unexpected '%s' property value", BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME),
+ broker.getProperty(BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME));
+ }
+
+ public void testSslVerifyHostNameIsTurnedOff() throws Exception
+ {
+ String brokerURL = "tcp://localhost:5672?ssl='true'&ssl_verify_hostname='false'";
+ AMQBrokerDetails broker = new AMQBrokerDetails(brokerURL);
+ ConnectionSettings connectionSettings = broker.buildConnectionSettings();
+ assertFalse(String.format("Unexpected '%s' option value", BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME),
+ connectionSettings.isVerifyHostname());
+ assertEquals(String.format("Unexpected '%s' property value", BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME),
+ "false", broker.getProperty(BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME));
+ }
+
+ public void testSslVerifyHostNameTurnedOffViaSystemProperty() throws Exception
+ {
+ setTestSystemProperty(ClientProperties.CONNECTION_OPTION_SSL_VERIFY_HOST_NAME, "false");
+ String brokerURL = "tcp://localhost:5672?ssl='true'";
+ AMQBrokerDetails broker = new AMQBrokerDetails(brokerURL);
+ ConnectionSettings connectionSettings = broker.buildConnectionSettings();
+ assertFalse(String.format("Unexpected '%s' option value", BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME),
+ connectionSettings.isVerifyHostname());
+ assertNull(String.format("Unexpected '%s' property value", BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME),
+ broker.getProperty(BrokerDetails.OPTIONS_SSL_VERIFY_HOSTNAME));
+ }
}
Modified: qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java?rev=1616378&r1=1616377&r2=1616378&view=diff
==============================================================================
--- qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java (original)
+++ qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java Thu Aug 7 00:20:24 2014
@@ -248,7 +248,11 @@ public class ClientProperties
*/
public static final String SET_EXPIRATION_AS_TTL = "qpid.set_expiration_as_ttl";
-
+ /**
+ * System property to set a default value for a connection option 'ssl_verify_hostname'
+ */
+ public static final String CONNECTION_OPTION_SSL_VERIFY_HOST_NAME = "qpid.connection_ssl_verify_hostname";
+ public static final boolean DEFAULT_CONNECTION_OPTION_SSL_VERIFY_HOST_NAME = true;
private ClientProperties()
{
Modified: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/client/ssl/SSLTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/client/ssl/SSLTest.java?rev=1616378&r1=1616377&r2=1616378&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/client/ssl/SSLTest.java (original)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/client/ssl/SSLTest.java Thu Aug 7 00:20:24 2014
@@ -75,7 +75,7 @@ public class SSLTest extends QpidBrokerT
super.setUp();
String url = "amqp://guest:guest@test/?brokerlist='tcp://localhost:%s" +
- "?ssl='true'&ssl_verify_hostname='true'" +
+ "?ssl='true'" +
"&key_store='%s'&key_store_password='%s'" +
"&trust_store='%s'&trust_store_password='%s'" +
"'";
@@ -90,6 +90,49 @@ public class SSLTest extends QpidBrokerT
}
}
+ public void testHostVerificationIsOnByDefault() throws Exception
+ {
+ if (shouldPerformTest())
+ {
+ clearSslStoreSystemProperties();
+
+ //Start the broker (NEEDing client certificate authentication)
+ configureJavaBrokerIfNecessary(true, true, true, false, false);
+ super.setUp();
+
+ String url = "amqp://guest:guest@test/?brokerlist='tcp://127.0.0.1:%s" +
+ "?ssl='true'" +
+ "&key_store='%s'&key_store_password='%s'" +
+ "&trust_store='%s'&trust_store_password='%s'" +
+ "'";
+
+ url = String.format(url,QpidBrokerTestCase.DEFAULT_SSL_PORT,
+ KEYSTORE,KEYSTORE_PASSWORD,TRUSTSTORE,TRUSTSTORE_PASSWORD);
+
+ try
+ {
+ getConnection(new AMQConnectionURL(url));
+ }
+ catch(JMSException e)
+ {
+ assertTrue("Unexpected exception message", e.getMessage().contains("SSL hostname verification failed"));
+ }
+
+ url = "amqp://guest:guest@test/?brokerlist='tcp://127.0.0.1:%s" +
+ "?ssl='true'&ssl_verify_hostname='false'" +
+ "&key_store='%s'&key_store_password='%s'" +
+ "&trust_store='%s'&trust_store_password='%s'" +
+ "'";
+ url = String.format(url,QpidBrokerTestCase.DEFAULT_SSL_PORT,
+ KEYSTORE,KEYSTORE_PASSWORD,TRUSTSTORE,TRUSTSTORE_PASSWORD);
+
+ Connection con = getConnection(new AMQConnectionURL(url));
+ assertNotNull("connection should be successful", con);
+ Session ssn = con.createSession(false,Session.AUTO_ACKNOWLEDGE);
+ assertNotNull("create session should be successful", ssn);
+ }
+ }
+
/**
* Create an SSL connection using the SSL system properties for the trust and key store, but using
* the {@link ConnectionURL} ssl='true' option to indicate use of SSL at a Connection level,
@@ -197,7 +240,7 @@ public class SSLTest extends QpidBrokerT
String url = "amqp://guest:guest@test/?brokerlist='tcp://127.0.0.1:" +
QpidBrokerTestCase.DEFAULT_SSL_PORT +
- "?ssl='true'&ssl_verify_hostname='true''";
+ "?ssl='true''";
try
{
@@ -230,7 +273,7 @@ public class SSLTest extends QpidBrokerT
String url = "amqp://guest:guest@test/?brokerlist='tcp://localhost:" +
QpidBrokerTestCase.DEFAULT_SSL_PORT +
- "?ssl='true'&ssl_verify_hostname='true''";
+ "?ssl='true''";
Connection con = getConnection(new AMQConnectionURL(url));
assertNotNull("connection should have been created", con);
@@ -247,7 +290,7 @@ public class SSLTest extends QpidBrokerT
String url = "amqp://guest:guest@test/?brokerlist='tcp://localhost.localdomain:" +
QpidBrokerTestCase.DEFAULT_SSL_PORT +
- "?ssl='true'&ssl_verify_hostname='true''";
+ "?ssl='true''";
Connection con = getConnection(new AMQConnectionURL(url));
assertNotNull("connection should have been created", con);
@@ -266,7 +309,7 @@ public class SSLTest extends QpidBrokerT
String url = "amqp://guest:guest@test/?brokerlist='tcp://localhost:%s" +
- "?ssl='true'&ssl_verify_hostname='true'" +
+ "?ssl='true'" +
"&trust_store='%s'&trust_store_password='%s'" +
"'";
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org