You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by mi...@apache.org on 2022/06/29 08:28:31 UTC

[activemq-nms-openwire] 02/02: AMQNET-768 Update negotiation and validation of SSL protocol

This is an automated email from the ASF dual-hosted git repository.

michaelpearce pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-nms-openwire.git

commit 44bf1fd0f617846f8e718c1f4782c47311324aa0
Author: Bruce Dodson <bd...@esri.ca>
AuthorDate: Thu Jun 16 12:09:36 2022 -0700

    AMQNET-768 Update negotiation and validation of SSL protocol
    
    AMQNET-768 Update negotiation and validation of SSL protocol
    
    * Change SslContext default constructor to defer to OS in lieu of
      defaulting to TLS 1.0, using value "None"
    
    * Change GetAllowedProtocol to return None when SslProtocol value
      is invalid / empty / null
    
    * Validate SslProtocol and fail fast where it can be assigned
      from externally in SslTransport and SslTransportFactory
---
 src/Transport/Tcp/SslContext.cs          |  2 +-
 src/Transport/Tcp/SslTransport.cs        | 26 ++++++++++++++++++--------
 src/Transport/Tcp/SslTransportFactory.cs | 19 +++++++++++++++++--
 3 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/src/Transport/Tcp/SslContext.cs b/src/Transport/Tcp/SslContext.cs
index d35e0e2..db5b723 100644
--- a/src/Transport/Tcp/SslContext.cs
+++ b/src/Transport/Tcp/SslContext.cs
@@ -6,7 +6,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
     {
         private String sslProtocol;
 
-        public SslContext() : this("Tls")
+        public SslContext() : this("None")
         {
         }
 
diff --git a/src/Transport/Tcp/SslTransport.cs b/src/Transport/Tcp/SslTransport.cs
index 17f2e06..a7316a0 100644
--- a/src/Transport/Tcp/SslTransport.cs
+++ b/src/Transport/Tcp/SslTransport.cs
@@ -33,7 +33,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
         private string brokerCertFilename;
         private string keyStoreName;
         private string keyStoreLocation;
-        private string sslProtocol;
+        internal string sslProtocol;
         private bool acceptInvalidBrokerCert = false;
 
         private SslStream sslStream;
@@ -121,7 +121,21 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
         public string SslProtocol
         {
             get { return this.sslProtocol; }
-            set { this.sslProtocol = value; }
+            set
+            {
+                if (String.IsNullOrEmpty(value))
+                {
+                    this.sslProtocol = null;
+                }
+                else if (Enum.TryParse<SslProtocols>(value, true, out var _))
+                {
+                    this.sslProtocol = value;
+                }
+                else
+                {
+                    throw new ArgumentException($"Requested value '{value}' was not found in {nameof(SslProtocols)}.");
+                }
+            }
         }
 
         protected override Stream CreateSocketStream()
@@ -325,12 +339,8 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
 
         private SslProtocols GetAllowedProtocol() 
         {
-            if (!String.IsNullOrEmpty(SslProtocol))
-            {
-                return (SslProtocols)Enum.Parse(typeof(SslProtocols), SslProtocol, true);
-            }
-
-            return SslProtocols.Default;
+            Enum.TryParse<SslProtocols>(sslProtocol, true, out var parsedOrNone);
+            return parsedOrNone;
         }
     }
 }
diff --git a/src/Transport/Tcp/SslTransportFactory.cs b/src/Transport/Tcp/SslTransportFactory.cs
index 2fdb7a1..91a86c2 100644
--- a/src/Transport/Tcp/SslTransportFactory.cs
+++ b/src/Transport/Tcp/SslTransportFactory.cs
@@ -18,6 +18,7 @@
 using System;
 using System.Web;
 using System.Net.Sockets;
+using System.Security.Authentication;
 
 namespace Apache.NMS.ActiveMQ.Transport.Tcp
 {
@@ -89,7 +90,21 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
         public string SslProtocol
         {
             get { return this.sslProtocol; }
-            set { this.sslProtocol = value; }
+            set
+            {
+                if (String.IsNullOrEmpty(value))
+                {
+                    this.sslProtocol = null;
+                }
+                else if (Enum.TryParse<SslProtocols>(value, true, out var _))
+                {
+                    this.sslProtocol = value;
+                }
+                else
+                {
+                    throw new ArgumentException($"Requested value '{value}' was not found in {nameof(SslProtocols)}.");
+                }
+            }
         }
 
 		protected override ITransport DoCreateTransport(Uri location, Socket socket, IWireFormat wireFormat )
@@ -115,7 +130,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
             transport.KeyStoreLocation = this.keyStoreLocation;
             transport.KeyStoreName = this.keyStoreName;
             transport.AcceptInvalidBrokerCert = this.acceptInvalidBrokerCert;
-            transport.SslProtocol = this.sslProtocol;
+            transport.sslProtocol = this.sslProtocol; // bypass revalidation
             
             return transport;
 		}