You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by mi...@apache.org on 2022/06/29 08:28:31 UTC
[activemq-nms-openwire] 02/02: AMQNET-768 Update negotiation and validation of SSL protocol
This is an automated email from the ASF dual-hosted git repository.
michaelpearce pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-nms-openwire.git
commit 44bf1fd0f617846f8e718c1f4782c47311324aa0
Author: Bruce Dodson <bd...@esri.ca>
AuthorDate: Thu Jun 16 12:09:36 2022 -0700
AMQNET-768 Update negotiation and validation of SSL protocol
AMQNET-768 Update negotiation and validation of SSL protocol
* Change SslContext default constructor to defer to OS in lieu of
defaulting to TLS 1.0, using value "None"
* Change GetAllowedProtocol to return None when SslProtocol value
is invalid / empty / null
* Validate SslProtocol and fail fast where it can be assigned
from externally in SslTransport and SslTransportFactory
---
src/Transport/Tcp/SslContext.cs | 2 +-
src/Transport/Tcp/SslTransport.cs | 26 ++++++++++++++++++--------
src/Transport/Tcp/SslTransportFactory.cs | 19 +++++++++++++++++--
3 files changed, 36 insertions(+), 11 deletions(-)
diff --git a/src/Transport/Tcp/SslContext.cs b/src/Transport/Tcp/SslContext.cs
index d35e0e2..db5b723 100644
--- a/src/Transport/Tcp/SslContext.cs
+++ b/src/Transport/Tcp/SslContext.cs
@@ -6,7 +6,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
{
private String sslProtocol;
- public SslContext() : this("Tls")
+ public SslContext() : this("None")
{
}
diff --git a/src/Transport/Tcp/SslTransport.cs b/src/Transport/Tcp/SslTransport.cs
index 17f2e06..a7316a0 100644
--- a/src/Transport/Tcp/SslTransport.cs
+++ b/src/Transport/Tcp/SslTransport.cs
@@ -33,7 +33,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
private string brokerCertFilename;
private string keyStoreName;
private string keyStoreLocation;
- private string sslProtocol;
+ internal string sslProtocol;
private bool acceptInvalidBrokerCert = false;
private SslStream sslStream;
@@ -121,7 +121,21 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
public string SslProtocol
{
get { return this.sslProtocol; }
- set { this.sslProtocol = value; }
+ set
+ {
+ if (String.IsNullOrEmpty(value))
+ {
+ this.sslProtocol = null;
+ }
+ else if (Enum.TryParse<SslProtocols>(value, true, out var _))
+ {
+ this.sslProtocol = value;
+ }
+ else
+ {
+ throw new ArgumentException($"Requested value '{value}' was not found in {nameof(SslProtocols)}.");
+ }
+ }
}
protected override Stream CreateSocketStream()
@@ -325,12 +339,8 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
private SslProtocols GetAllowedProtocol()
{
- if (!String.IsNullOrEmpty(SslProtocol))
- {
- return (SslProtocols)Enum.Parse(typeof(SslProtocols), SslProtocol, true);
- }
-
- return SslProtocols.Default;
+ Enum.TryParse<SslProtocols>(sslProtocol, true, out var parsedOrNone);
+ return parsedOrNone;
}
}
}
diff --git a/src/Transport/Tcp/SslTransportFactory.cs b/src/Transport/Tcp/SslTransportFactory.cs
index 2fdb7a1..91a86c2 100644
--- a/src/Transport/Tcp/SslTransportFactory.cs
+++ b/src/Transport/Tcp/SslTransportFactory.cs
@@ -18,6 +18,7 @@
using System;
using System.Web;
using System.Net.Sockets;
+using System.Security.Authentication;
namespace Apache.NMS.ActiveMQ.Transport.Tcp
{
@@ -89,7 +90,21 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
public string SslProtocol
{
get { return this.sslProtocol; }
- set { this.sslProtocol = value; }
+ set
+ {
+ if (String.IsNullOrEmpty(value))
+ {
+ this.sslProtocol = null;
+ }
+ else if (Enum.TryParse<SslProtocols>(value, true, out var _))
+ {
+ this.sslProtocol = value;
+ }
+ else
+ {
+ throw new ArgumentException($"Requested value '{value}' was not found in {nameof(SslProtocols)}.");
+ }
+ }
}
protected override ITransport DoCreateTransport(Uri location, Socket socket, IWireFormat wireFormat )
@@ -115,7 +130,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp
transport.KeyStoreLocation = this.keyStoreLocation;
transport.KeyStoreName = this.keyStoreName;
transport.AcceptInvalidBrokerCert = this.acceptInvalidBrokerCert;
- transport.SslProtocol = this.sslProtocol;
+ transport.sslProtocol = this.sslProtocol; // bypass revalidation
return transport;
}