You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Jack Fitch (Created) (JIRA)" <ji...@apache.org> on 2012/03/24 16:48:24 UTC
[jira] [Created] (AMQ-3785) ActiveMQSslConnectionFactory does not
detect ssl request in failover URIs when creating transports
ActiveMQSslConnectionFactory does not detect ssl request in failover URIs when creating transports
--------------------------------------------------------------------------------------------------
Key: AMQ-3785
URL: https://issues.apache.org/jira/browse/AMQ-3785
Project: ActiveMQ
Issue Type: Bug
Components: Transport
Affects Versions: 5.5.0
Environment: Looks global from SVN source but I detected with JDK 1.6.0_31 on Redhat Linux client using AMQ 5.5.0
Reporter: Jack Fitch
Fix For: 5.5.1
The createTransport method in ActiveMQSslConnectionFactory delegates to the super class if the URI scheme
is not ssl. Failover URIs have 'failover' as the URI scheme and so always delegate to the superclass. This causes
ssl connections that need key or trust stores manipulated by code to hang or fail as the credentials are not available.
Code from SVN trunk for ActiveMQSslConnectionFactory shows why
protected Transport createTransport() throws JMSException {
// If the given URI is non-ssl, let superclass handle it.
if (!brokerURL.getScheme().equals("ssl")) {
return super.createTransport();
}
// !! jackf comment Code below never reached for failover URIs like failover:ssl:... or failover:(tcp:..., ssl...)
// because the URI Scheme is failover, not ssl.
// Therefore connections that need a keyManager or trustManager fail
try {
if (keyManager == null || trustManager == null) {
trustManager = createTrustManager();
keyManager = createKeyManager();
// secureRandom can be left as null
}
SslTransportFactory sslFactory = new SslTransportFactory();
SslContext ctx = new SslContext(keyManager, trustManager, secureRandom);
SslContext.setCurrentSslContext(ctx);
return sslFactory.doConnect(brokerURL);
} catch (Exception e) {
throw JMSExceptionSupport.create("Could not create Transport. Reason: " + e, e);
}
}
(Vague) Solution: 1) need better pattern match than URI scheme to detect requests for ssl connections. 2) A failover URI is essentially a list of URIs so multiple ssl transport requests may be in the failover list. A first start is to require that the same key and trust stores are used for all failover connections but you may want to consider allowing customized stores for each of the ssl connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMQ-3785) ActiveMQSslConnectionFactory does not
detect ssl request in failover URIs when creating transports
Posted by "Timothy Bish (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothy Bish updated AMQ-3785:
------------------------------
Fix Version/s: (was: 5.5.1)
5.x
Should provide unit tests and patch
> ActiveMQSslConnectionFactory does not detect ssl request in failover URIs when creating transports
> --------------------------------------------------------------------------------------------------
>
> Key: AMQ-3785
> URL: https://issues.apache.org/jira/browse/AMQ-3785
> Project: ActiveMQ
> Issue Type: Bug
> Components: Transport
> Affects Versions: 5.5.0
> Environment: Looks global from SVN source but I detected with JDK 1.6.0_31 on Redhat Linux client using AMQ 5.5.0
> Reporter: Jack Fitch
> Fix For: 5.x
>
>
> The createTransport method in ActiveMQSslConnectionFactory delegates to the super class if the URI scheme
> is not ssl. Failover URIs have 'failover' as the URI scheme and so always delegate to the superclass. This causes
> ssl connections that need key or trust stores manipulated by code to hang or fail as the credentials are not available.
> Code from SVN trunk for ActiveMQSslConnectionFactory shows why
> protected Transport createTransport() throws JMSException {
> // If the given URI is non-ssl, let superclass handle it.
> if (!brokerURL.getScheme().equals("ssl")) {
> return super.createTransport();
> }
> // !! jackf comment Code below never reached for failover URIs like failover:ssl:... or failover:(tcp:..., ssl...)
> // because the URI Scheme is failover, not ssl.
> // Therefore connections that need a keyManager or trustManager fail
> try {
> if (keyManager == null || trustManager == null) {
> trustManager = createTrustManager();
> keyManager = createKeyManager();
> // secureRandom can be left as null
> }
> SslTransportFactory sslFactory = new SslTransportFactory();
> SslContext ctx = new SslContext(keyManager, trustManager, secureRandom);
> SslContext.setCurrentSslContext(ctx);
> return sslFactory.doConnect(brokerURL);
> } catch (Exception e) {
> throw JMSExceptionSupport.create("Could not create Transport. Reason: " + e, e);
> }
> }
>
> (Vague) Solution: 1) need better pattern match than URI scheme to detect requests for ssl connections. 2) A failover URI is essentially a list of URIs so multiple ssl transport requests may be in the failover list. A first start is to require that the same key and trust stores are used for all failover connections but you may want to consider allowing customized stores for each of the ssl connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (AMQ-3785) ActiveMQSslConnectionFactory does not
detect ssl request in failover URIs when creating transports
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Tully resolved AMQ-3785.
-----------------------------
Resolution: Fixed
Fix Version/s: (was: 5.x)
5.7.0
Assignee: Gary Tully
fix in http://svn.apache.org/viewvc?rev=1361984&view=rev
the sslfactory was bypassing normal transport factory resolution. fix is to have it use the sslcontext thread local, which is respected by the ssltransport factory.
> ActiveMQSslConnectionFactory does not detect ssl request in failover URIs when creating transports
> --------------------------------------------------------------------------------------------------
>
> Key: AMQ-3785
> URL: https://issues.apache.org/jira/browse/AMQ-3785
> Project: ActiveMQ
> Issue Type: Bug
> Components: Transport
> Affects Versions: 5.5.0
> Environment: Looks global from SVN source but I detected with JDK 1.6.0_31 on Redhat Linux client using AMQ 5.5.0
> Reporter: Jack Fitch
> Assignee: Gary Tully
> Fix For: 5.7.0
>
>
> The createTransport method in ActiveMQSslConnectionFactory delegates to the super class if the URI scheme
> is not ssl. Failover URIs have 'failover' as the URI scheme and so always delegate to the superclass. This causes
> ssl connections that need key or trust stores manipulated by code to hang or fail as the credentials are not available.
> Code from SVN trunk for ActiveMQSslConnectionFactory shows why
> protected Transport createTransport() throws JMSException {
> // If the given URI is non-ssl, let superclass handle it.
> if (!brokerURL.getScheme().equals("ssl")) {
> return super.createTransport();
> }
> // !! jackf comment Code below never reached for failover URIs like failover:ssl:... or failover:(tcp:..., ssl...)
> // because the URI Scheme is failover, not ssl.
> // Therefore connections that need a keyManager or trustManager fail
> try {
> if (keyManager == null || trustManager == null) {
> trustManager = createTrustManager();
> keyManager = createKeyManager();
> // secureRandom can be left as null
> }
> SslTransportFactory sslFactory = new SslTransportFactory();
> SslContext ctx = new SslContext(keyManager, trustManager, secureRandom);
> SslContext.setCurrentSslContext(ctx);
> return sslFactory.doConnect(brokerURL);
> } catch (Exception e) {
> throw JMSExceptionSupport.create("Could not create Transport. Reason: " + e, e);
> }
> }
>
> (Vague) Solution: 1) need better pattern match than URI scheme to detect requests for ssl connections. 2) A failover URI is essentially a list of URIs so multiple ssl transport requests may be in the failover list. A first start is to require that the same key and trust stores are used for all failover connections but you may want to consider allowing customized stores for each of the ssl connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3785) ActiveMQSslConnectionFactory does not
detect ssl request in failover URIs when creating transports
Posted by "Bryce Prescott (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13440423#comment-13440423 ]
Bryce Prescott commented on AMQ-3785:
-------------------------------------
I downloaded the ActiveMQ 5.7 snapshot Jars and still had a similar issue. See attached zip file.
> ActiveMQSslConnectionFactory does not detect ssl request in failover URIs when creating transports
> --------------------------------------------------------------------------------------------------
>
> Key: AMQ-3785
> URL: https://issues.apache.org/jira/browse/AMQ-3785
> Project: ActiveMQ
> Issue Type: Bug
> Components: Transport
> Affects Versions: 5.5.0
> Environment: Looks global from SVN source but I detected with JDK 1.6.0_31 on Redhat Linux client using AMQ 5.5.0
> Reporter: Jack Fitch
> Assignee: Gary Tully
> Fix For: 5.7.0
>
>
> The createTransport method in ActiveMQSslConnectionFactory delegates to the super class if the URI scheme
> is not ssl. Failover URIs have 'failover' as the URI scheme and so always delegate to the superclass. This causes
> ssl connections that need key or trust stores manipulated by code to hang or fail as the credentials are not available.
> Code from SVN trunk for ActiveMQSslConnectionFactory shows why
> protected Transport createTransport() throws JMSException {
> // If the given URI is non-ssl, let superclass handle it.
> if (!brokerURL.getScheme().equals("ssl")) {
> return super.createTransport();
> }
> // !! jackf comment Code below never reached for failover URIs like failover:ssl:... or failover:(tcp:..., ssl...)
> // because the URI Scheme is failover, not ssl.
> // Therefore connections that need a keyManager or trustManager fail
> try {
> if (keyManager == null || trustManager == null) {
> trustManager = createTrustManager();
> keyManager = createKeyManager();
> // secureRandom can be left as null
> }
> SslTransportFactory sslFactory = new SslTransportFactory();
> SslContext ctx = new SslContext(keyManager, trustManager, secureRandom);
> SslContext.setCurrentSslContext(ctx);
> return sslFactory.doConnect(brokerURL);
> } catch (Exception e) {
> throw JMSExceptionSupport.create("Could not create Transport. Reason: " + e, e);
> }
> }
>
> (Vague) Solution: 1) need better pattern match than URI scheme to detect requests for ssl connections. 2) A failover URI is essentially a list of URIs so multiple ssl transport requests may be in the failover list. A first start is to require that the same key and trust stores are used for all failover connections but you may want to consider allowing customized stores for each of the ssl connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMQ-3785) ActiveMQSslConnectionFactory does not
detect ssl request in failover URIs when creating transports
Posted by "Bryce Prescott (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryce Prescott updated AMQ-3785:
--------------------------------
Attachment: ActiveMQFailoverTest.zip
Here it is.
The SSL failover fails with a certificate_unknown error using
ActiveMQSslConnectionFactory.setKeyAndTrustManagers
If, however, that line of code is commented out and Thread.setSslContext is used instead it does work.
> ActiveMQSslConnectionFactory does not detect ssl request in failover URIs when creating transports
> --------------------------------------------------------------------------------------------------
>
> Key: AMQ-3785
> URL: https://issues.apache.org/jira/browse/AMQ-3785
> Project: ActiveMQ
> Issue Type: Bug
> Components: Transport
> Affects Versions: 5.5.0
> Environment: Looks global from SVN source but I detected with JDK 1.6.0_31 on Redhat Linux client using AMQ 5.5.0
> Reporter: Jack Fitch
> Assignee: Gary Tully
> Fix For: 5.7.0
>
> Attachments: ActiveMQFailoverTest.zip
>
>
> The createTransport method in ActiveMQSslConnectionFactory delegates to the super class if the URI scheme
> is not ssl. Failover URIs have 'failover' as the URI scheme and so always delegate to the superclass. This causes
> ssl connections that need key or trust stores manipulated by code to hang or fail as the credentials are not available.
> Code from SVN trunk for ActiveMQSslConnectionFactory shows why
> protected Transport createTransport() throws JMSException {
> // If the given URI is non-ssl, let superclass handle it.
> if (!brokerURL.getScheme().equals("ssl")) {
> return super.createTransport();
> }
> // !! jackf comment Code below never reached for failover URIs like failover:ssl:... or failover:(tcp:..., ssl...)
> // because the URI Scheme is failover, not ssl.
> // Therefore connections that need a keyManager or trustManager fail
> try {
> if (keyManager == null || trustManager == null) {
> trustManager = createTrustManager();
> keyManager = createKeyManager();
> // secureRandom can be left as null
> }
> SslTransportFactory sslFactory = new SslTransportFactory();
> SslContext ctx = new SslContext(keyManager, trustManager, secureRandom);
> SslContext.setCurrentSslContext(ctx);
> return sslFactory.doConnect(brokerURL);
> } catch (Exception e) {
> throw JMSExceptionSupport.create("Could not create Transport. Reason: " + e, e);
> }
> }
>
> (Vague) Solution: 1) need better pattern match than URI scheme to detect requests for ssl connections. 2) A failover URI is essentially a list of URIs so multiple ssl transport requests may be in the failover list. A first start is to require that the same key and trust stores are used for all failover connections but you may want to consider allowing customized stores for each of the ssl connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira