You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Gareth Collins <ga...@hotmail.com> on 2010/04/09 03:00:16 UTC
Make TrustManager Optional When Using SSL For Netty
Hello,
Would it be possible to make the TrustManager optional for Netty SSL
support? I made a change in my local version of camel-netty and it works for
me (file org.apache.camel.component.netty.ssl.SSLEngineFactory - replacement
for the original SSLEngineFactory constructor):
public SSLEngineFactory(File keyStoreFile, File trustStoreFile, char[]
passphrase) throws Exception {
super();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(IOConverter.toInputStream(keyStoreFile), passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, passphrase);
sslContext = SSLContext.getInstance(SSL_PROTOCOL);
if (trustStoreFile != null)
{
KeyStore ts = KeyStore.getInstance("JKS");
ts.load(IOConverter.toInputStream(trustStoreFile), passphrase);
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
null);
}
else
{
sslContext.init(kmf.getKeyManagers(), null, null);
}
}
I ask for this as I have to contact a server where SSL will not work
properly if a TrustManager is installed. If this could go in before CAMEL
2.3 it would be much appreciated.
A couple of questions about the netty implementation:
(1) Is there a reason why JKS was hardcoded here, rather than allowing the
key store format to be configured?
(2) When I add the TrustManager using netty for the connection where it
could not be used, netty throws me no exception, the connection remains
open, but the messages I send do not get to the server. If I connect
directly using an SSLSocket I see a javax.net.ssl.SSLHandshakeException. Is
there something I am missing here?
thanks in advance,
Gareth Collins
--
View this message in context: http://old.nabble.com/Make-TrustManager-Optional-When-Using-SSL-For-Netty-tp28186386p28186386.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Make TrustManager Optional When Using SSL For Netty
Posted by Ashwin Karpe <as...@progress.com>.
Hi Gareth,
Thanks for the feedback... I developed and checked in this component a few
weeks ago.
I have created a new Jira issue to record this request and will fix these in
the coming days. Please find link below
https://issues.apache.org/activemq/browse/CAMEL-2625
https://issues.apache.org/activemq/browse/CAMEL-2625
The issue 2 is a little unclear to me... Could you please let me know how to
reproduce this issue or send me a testcase...
Cheers,
Ashwin...
Gareth Collins wrote:
>
> Hello,
>
> Would it be possible to make the TrustManager optional for Netty SSL
> support? I made a change in my local version of camel-netty and it works
> for me (file org.apache.camel.component.netty.ssl.SSLEngineFactory -
> replacement for the original SSLEngineFactory constructor):
>
> public SSLEngineFactory(File keyStoreFile, File trustStoreFile, char[]
> passphrase) throws Exception {
> super();
>
> KeyStore ks = KeyStore.getInstance("JKS");
>
> ks.load(IOConverter.toInputStream(keyStoreFile), passphrase);
>
> KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
> kmf.init(ks, passphrase);
>
> sslContext = SSLContext.getInstance(SSL_PROTOCOL);
>
>
> if (trustStoreFile != null)
> {
>
> KeyStore ts = KeyStore.getInstance("JKS");
>
> ts.load(IOConverter.toInputStream(trustStoreFile), passphrase);
>
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance("SunX509");
> tmf.init(ts);
> sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
> null);
> }
> else
> {
> sslContext.init(kmf.getKeyManagers(), null, null);
> }
> }
>
> I ask for this as I have to contact a server where SSL will not work
> properly if a TrustManager is installed. If this could go in before CAMEL
> 2.3 it would be much appreciated.
>
> A couple of questions about the netty implementation:
>
> (1) Is there a reason why JKS was hardcoded here, rather than allowing the
> key store format to be configured?
>
> (2) When I add the TrustManager using netty for the connection where it
> could not be used, netty throws me no exception, the connection remains
> open, but the messages I send do not get to the server. If I connect
> directly using an SSLSocket I see a javax.net.ssl.SSLHandshakeException.
> Is there something I am missing here?
>
> thanks in advance,
> Gareth Collins
>
-----
---
Ashwin Karpe, Principal Consultant, PS - Opensource Center of Competence
Progress Software Corporation
14 Oak Park Drive
Bedford, MA 01730
---
+1-972-304-9084 (Office)
+1-972-971-1700 (Mobile)
----
Blog: http://opensourceknowledge.blogspot.com/
--
View this message in context: http://old.nabble.com/Make-TrustManager-Optional-When-Using-SSL-For-Netty-tp28186386p28186822.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Make TrustManager Optional When Using SSL For Netty
Posted by Ashwin Karpe <as...@progress.com>.
Hi,
I have created a patch and made the Keystore Format and Security Provider
configurable. Please check out the Jira Issue in my previous email
Cheers,
Ashwin...
Gareth Collins wrote:
>
> Hello,
>
> Would it be possible to make the TrustManager optional for Netty SSL
> support? I made a change in my local version of camel-netty and it works
> for me (file org.apache.camel.component.netty.ssl.SSLEngineFactory -
> replacement for the original SSLEngineFactory constructor):
>
> public SSLEngineFactory(File keyStoreFile, File trustStoreFile, char[]
> passphrase) throws Exception {
> super();
>
> KeyStore ks = KeyStore.getInstance("JKS");
>
> ks.load(IOConverter.toInputStream(keyStoreFile), passphrase);
>
> KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
> kmf.init(ks, passphrase);
>
> sslContext = SSLContext.getInstance(SSL_PROTOCOL);
>
>
> if (trustStoreFile != null)
> {
>
> KeyStore ts = KeyStore.getInstance("JKS");
>
> ts.load(IOConverter.toInputStream(trustStoreFile), passphrase);
>
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance("SunX509");
> tmf.init(ts);
> sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
> null);
> }
> else
> {
> sslContext.init(kmf.getKeyManagers(), null, null);
> }
> }
>
> I ask for this as I have to contact a server where SSL will not work
> properly if a TrustManager is installed. If this could go in before CAMEL
> 2.3 it would be much appreciated.
>
> A couple of questions about the netty implementation:
>
> (1) Is there a reason why JKS was hardcoded here, rather than allowing the
> key store format to be configured?
>
> (2) When I add the TrustManager using netty for the connection where it
> could not be used, netty throws me no exception, the connection remains
> open, but the messages I send do not get to the server. If I connect
> directly using an SSLSocket I see a javax.net.ssl.SSLHandshakeException.
> Is there something I am missing here?
>
> thanks in advance,
> Gareth Collins
>
-----
---
Ashwin Karpe, Principal Consultant, PS - Opensource Center of Competence
Progress Software Corporation
14 Oak Park Drive
Bedford, MA 01730
---
+1-972-304-9084 (Office)
+1-972-971-1700 (Mobile)
----
Blog: http://opensourceknowledge.blogspot.com/
--
View this message in context: http://old.nabble.com/Make-TrustManager-Optional-When-Using-SSL-For-Netty-tp28186386p28187403.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Make TrustManager Optional When Using SSL For Netty
Posted by Gareth Collins <ga...@hotmail.com>.
Thanks very much! I will update my environment today.
As for the question about the test case, I don't know enough about SSL (yet)
to understand why connection to this particular third-party server fails for
me. I will need to get back to you on this.
thanks again,
Gareth
Ashwin Karpe wrote:
>
> Hi,
>
> I have committed a fix based on your change request. You should be able to
> now checkout the latest changes from the trunk.
>
> Cheers,
>
> Ashwin...
>
>
> Gareth Collins wrote:
>>
>> Hello,
>>
>> Would it be possible to make the TrustManager optional for Netty SSL
>> support? I made a change in my local version of camel-netty and it works
>> for me (file org.apache.camel.component.netty.ssl.SSLEngineFactory -
>> replacement for the original SSLEngineFactory constructor):
>>
>> public SSLEngineFactory(File keyStoreFile, File trustStoreFile, char[]
>> passphrase) throws Exception {
>> super();
>>
>> KeyStore ks = KeyStore.getInstance("JKS");
>>
>> ks.load(IOConverter.toInputStream(keyStoreFile), passphrase);
>>
>> KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
>> kmf.init(ks, passphrase);
>>
>> sslContext = SSLContext.getInstance(SSL_PROTOCOL);
>>
>>
>> if (trustStoreFile != null)
>> {
>>
>> KeyStore ts = KeyStore.getInstance("JKS");
>>
>> ts.load(IOConverter.toInputStream(trustStoreFile), passphrase);
>>
>> TrustManagerFactory tmf =
>> TrustManagerFactory.getInstance("SunX509");
>> tmf.init(ts);
>> sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
>> null);
>> }
>> else
>> {
>> sslContext.init(kmf.getKeyManagers(), null, null);
>> }
>> }
>>
>> I ask for this as I have to contact a server where SSL will not work
>> properly if a TrustManager is installed. If this could go in before CAMEL
>> 2.3 it would be much appreciated.
>>
>> A couple of questions about the netty implementation:
>>
>> (1) Is there a reason why JKS was hardcoded here, rather than allowing
>> the key store format to be configured?
>>
>> (2) When I add the TrustManager using netty for the connection where it
>> could not be used, netty throws me no exception, the connection remains
>> open, but the messages I send do not get to the server. If I connect
>> directly using an SSLSocket I see a javax.net.ssl.SSLHandshakeException.
>> Is there something I am missing here?
>>
>> thanks in advance,
>> Gareth Collins
>>
>
>
--
View this message in context: http://old.nabble.com/Make-TrustManager-Optional-When-Using-SSL-For-Netty-tp28186386p28219136.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Make TrustManager Optional When Using SSL For Netty
Posted by Ashwin Karpe <as...@progress.com>.
Hi,
I have committed a fix based on your change request. You should be able to
now checkout the latest changes from the trunk.
Cheers,
Ashwin...
Gareth Collins wrote:
>
> Hello,
>
> Would it be possible to make the TrustManager optional for Netty SSL
> support? I made a change in my local version of camel-netty and it works
> for me (file org.apache.camel.component.netty.ssl.SSLEngineFactory -
> replacement for the original SSLEngineFactory constructor):
>
> public SSLEngineFactory(File keyStoreFile, File trustStoreFile, char[]
> passphrase) throws Exception {
> super();
>
> KeyStore ks = KeyStore.getInstance("JKS");
>
> ks.load(IOConverter.toInputStream(keyStoreFile), passphrase);
>
> KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
> kmf.init(ks, passphrase);
>
> sslContext = SSLContext.getInstance(SSL_PROTOCOL);
>
>
> if (trustStoreFile != null)
> {
>
> KeyStore ts = KeyStore.getInstance("JKS");
>
> ts.load(IOConverter.toInputStream(trustStoreFile), passphrase);
>
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance("SunX509");
> tmf.init(ts);
> sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
> null);
> }
> else
> {
> sslContext.init(kmf.getKeyManagers(), null, null);
> }
> }
>
> I ask for this as I have to contact a server where SSL will not work
> properly if a TrustManager is installed. If this could go in before CAMEL
> 2.3 it would be much appreciated.
>
> A couple of questions about the netty implementation:
>
> (1) Is there a reason why JKS was hardcoded here, rather than allowing the
> key store format to be configured?
>
> (2) When I add the TrustManager using netty for the connection where it
> could not be used, netty throws me no exception, the connection remains
> open, but the messages I send do not get to the server. If I connect
> directly using an SSLSocket I see a javax.net.ssl.SSLHandshakeException.
> Is there something I am missing here?
>
> thanks in advance,
> Gareth Collins
>
-----
---
Ashwin Karpe, Principal Consultant, PS - Opensource Center of Competence
Progress Software Corporation
14 Oak Park Drive
Bedford, MA 01730
---
+1-972-304-9084 (Office)
+1-972-971-1700 (Mobile)
----
Blog: http://opensourceknowledge.blogspot.com/
--
View this message in context: http://old.nabble.com/Make-TrustManager-Optional-When-Using-SSL-For-Netty-tp28186386p28218349.html
Sent from the Camel - Users mailing list archive at Nabble.com.