You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2015/03/09 18:14:05 UTC
qpid-jms git commit: flip default to verify hostname by default
Repository: qpid-jms
Updated Branches:
refs/heads/master 3e9e30ceb -> 1873f3562
flip default to verify hostname by default
Project: http://git-wip-us.apache.org/repos/asf/qpid-jms/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-jms/commit/1873f356
Tree: http://git-wip-us.apache.org/repos/asf/qpid-jms/tree/1873f356
Diff: http://git-wip-us.apache.org/repos/asf/qpid-jms/diff/1873f356
Branch: refs/heads/master
Commit: 1873f3562d0e7ddd97a7c9a04b2587cd6ec91d19
Parents: 3e9e30c
Author: Robert Gemmell <ro...@apache.org>
Authored: Mon Mar 9 16:57:12 2015 +0000
Committer: Robert Gemmell <ro...@apache.org>
Committed: Mon Mar 9 17:13:14 2015 +0000
----------------------------------------------------------------------
.../jms/transports/TransportSslOptions.java | 2 +-
.../transports/netty/NettySslTransportTest.java | 19 +++++++------
qpid-jms-docs/Configuration.md | 2 +-
.../apache/qpid/jms/JmsSSLConnectionTest.java | 30 +++++++++++++++++---
4 files changed, 38 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-jms/blob/1873f356/qpid-jms-client/src/main/java/org/apache/qpid/jms/transports/TransportSslOptions.java
----------------------------------------------------------------------
diff --git a/qpid-jms-client/src/main/java/org/apache/qpid/jms/transports/TransportSslOptions.java b/qpid-jms-client/src/main/java/org/apache/qpid/jms/transports/TransportSslOptions.java
index f7f5473..c483316 100644
--- a/qpid-jms-client/src/main/java/org/apache/qpid/jms/transports/TransportSslOptions.java
+++ b/qpid-jms-client/src/main/java/org/apache/qpid/jms/transports/TransportSslOptions.java
@@ -27,7 +27,7 @@ public class TransportSslOptions extends TransportOptions {
public static final String[] DEFAULT_ENABLED_PROTOCOLS = {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"};
public static final String DEFAULT_STORE_TYPE = "jks";
public static final boolean DEFAULT_TRUST_ALL = false;
- public static final boolean DEFAULT_VERIFY_HOST = false; //TODO: enable this by default?
+ public static final boolean DEFAULT_VERIFY_HOST = true;
public static final TransportSslOptions INSTANCE = new TransportSslOptions();
http://git-wip-us.apache.org/repos/asf/qpid-jms/blob/1873f356/qpid-jms-client/src/test/java/org/apache/qpid/jms/transports/netty/NettySslTransportTest.java
----------------------------------------------------------------------
diff --git a/qpid-jms-client/src/test/java/org/apache/qpid/jms/transports/netty/NettySslTransportTest.java b/qpid-jms-client/src/test/java/org/apache/qpid/jms/transports/netty/NettySslTransportTest.java
index ddb5e9b..ed25dfb 100644
--- a/qpid-jms-client/src/test/java/org/apache/qpid/jms/transports/netty/NettySslTransportTest.java
+++ b/qpid-jms-client/src/test/java/org/apache/qpid/jms/transports/netty/NettySslTransportTest.java
@@ -60,7 +60,7 @@ public class NettySslTransportTest extends NettyTcpTransportTest {
int port = server.getServerPort();
URI serverLocation = new URI("tcp://localhost:" + port);
- Transport transport = createTransport(serverLocation, testListener, createClientOptionsWithoutTrustStore(false));
+ Transport transport = createTransport(serverLocation, testListener, createClientOptionsWithoutTrustStore(false, false));
try {
transport.connect();
fail("Should not have connected to the server");
@@ -85,7 +85,7 @@ public class NettySslTransportTest extends NettyTcpTransportTest {
int port = server.getServerPort();
URI serverLocation = new URI("tcp://localhost:" + port);
- Transport transport = createTransport(serverLocation, testListener, createClientOptionsWithoutTrustStore(true));
+ Transport transport = createTransport(serverLocation, testListener, createClientOptionsWithoutTrustStore(true, false));
try {
transport.connect();
LOG.info("Connection established to untrusted test server.");
@@ -110,10 +110,10 @@ public class NettySslTransportTest extends NettyTcpTransportTest {
int port = server.getServerPort();
URI serverLocation = new URI("tcp://localhost:" + port);
- TransportSslOptions options = createClientOptions();
- options.setVerifyHost(true);
+ TransportSslOptions clientOptions = createClientOptionsIsVerify(true);
+ assertTrue("Expected verifyHost to be true", clientOptions.isVerifyHost());
- Transport transport = createTransport(serverLocation, testListener, createClientOptionsIsVerify(true));
+ Transport transport = createTransport(serverLocation, testListener, clientOptions);
try {
transport.connect();
fail("Should not have connected to the server");
@@ -135,10 +135,10 @@ public class NettySslTransportTest extends NettyTcpTransportTest {
int port = server.getServerPort();
URI serverLocation = new URI("tcp://localhost:" + port);
- TransportSslOptions options = createClientOptions();
- options.setVerifyHost(true);
+ TransportSslOptions clientOptions = createClientOptionsIsVerify(false);
+ assertFalse("Expected verifyHost to be false", clientOptions.isVerifyHost());
- Transport transport = createTransport(serverLocation, testListener, createClientOptionsIsVerify(false));
+ Transport transport = createTransport(serverLocation, testListener, clientOptions);
try {
transport.connect();
LOG.info("Connection established to test server.");
@@ -191,11 +191,12 @@ public class NettySslTransportTest extends NettyTcpTransportTest {
return options;
}
- protected TransportSslOptions createClientOptionsWithoutTrustStore(boolean trustAll) {
+ protected TransportSslOptions createClientOptionsWithoutTrustStore(boolean trustAll, boolean verifyHost) {
TransportSslOptions options = TransportSslOptions.INSTANCE.clone();
options.setStoreType(KEYSTORE_TYPE);
options.setTrustAll(trustAll);
+ options.setVerifyHost(verifyHost);
return options;
}
http://git-wip-us.apache.org/repos/asf/qpid-jms/blob/1873f356/qpid-jms-docs/Configuration.md
----------------------------------------------------------------------
diff --git a/qpid-jms-docs/Configuration.md b/qpid-jms-docs/Configuration.md
index e062a45..5bf4256 100644
--- a/qpid-jms-docs/Configuration.md
+++ b/qpid-jms-docs/Configuration.md
@@ -130,7 +130,7 @@ The complete set of SSL Transport options is listed below:
* __transport.enabledCipherSuites__ defaults to Java defaults
* __transport.enabledProtocols__ defaults to Java defaults
* __transport.trustAll__ defaults to false
-* __transport.verifyHost__ defaults to false
+* __transport.verifyHost__ defaults to true
### Failover Configuration options
http://git-wip-us.apache.org/repos/asf/qpid-jms/blob/1873f356/qpid-jms-interop-tests/qpid-jms-activemq-tests/src/test/java/org/apache/qpid/jms/JmsSSLConnectionTest.java
----------------------------------------------------------------------
diff --git a/qpid-jms-interop-tests/qpid-jms-activemq-tests/src/test/java/org/apache/qpid/jms/JmsSSLConnectionTest.java b/qpid-jms-interop-tests/qpid-jms-activemq-tests/src/test/java/org/apache/qpid/jms/JmsSSLConnectionTest.java
index 0e61d39..929dd31 100644
--- a/qpid-jms-interop-tests/qpid-jms-activemq-tests/src/test/java/org/apache/qpid/jms/JmsSSLConnectionTest.java
+++ b/qpid-jms-interop-tests/qpid-jms-activemq-tests/src/test/java/org/apache/qpid/jms/JmsSSLConnectionTest.java
@@ -17,9 +17,12 @@
package org.apache.qpid.jms;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
import java.net.URI;
+import javax.jms.JMSException;
+
import org.apache.activemq.broker.BrokerService;
import org.apache.activemq.broker.TransportConnector;
import org.apache.qpid.jms.JmsConnection;
@@ -69,13 +72,18 @@ public class JmsSSLConnectionTest {
brokerService.waitUntilStopped();
}
- public String getConnectionURI() throws Exception {
- return "amqps://" + connectionURI.getHost() + ":" + connectionURI.getPort();
+ public String getConnectionURI(boolean verifyHost) throws Exception {
+ String baseURI = "amqps://" + connectionURI.getHost() + ":" + connectionURI.getPort();
+ if (verifyHost) {
+ return baseURI;
+ } else {
+ return baseURI + "?transport.verifyHost=false";
+ }
}
@Test(timeout=30000)
public void testCreateConnection() throws Exception {
- JmsConnectionFactory factory = new JmsConnectionFactory(getConnectionURI());
+ JmsConnectionFactory factory = new JmsConnectionFactory(getConnectionURI(false));
JmsConnection connection = (JmsConnection) factory.createConnection();
assertNotNull(connection);
connection.close();
@@ -83,10 +91,24 @@ public class JmsSSLConnectionTest {
@Test(timeout=30000)
public void testCreateConnectionAndStart() throws Exception {
- JmsConnectionFactory factory = new JmsConnectionFactory(getConnectionURI());
+ JmsConnectionFactory factory = new JmsConnectionFactory(getConnectionURI(false));
JmsConnection connection = (JmsConnection) factory.createConnection();
assertNotNull(connection);
connection.start();
connection.close();
}
+
+ @Test(timeout=30000)
+ public void testCreateConnectionAndStartWithVerifyHostFailure() throws Exception {
+ JmsConnectionFactory factory = new JmsConnectionFactory(getConnectionURI(true));
+ try {
+ JmsConnection connection = (JmsConnection) factory.createConnection();
+ assertNotNull(connection);
+ connection.start();
+ connection.close();
+ fail("Expected connection to fail");
+ } catch (JMSException jmse) {
+ // expected due to certificate host verification failure.
+ }
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org