You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cs...@apache.org on 2018/08/31 10:40:20 UTC
activemq git commit: Add support for hostname verification
Repository: activemq
Updated Branches:
refs/heads/master b488df694 -> 69fad2a13
Add support for hostname verification
Project: http://git-wip-us.apache.org/repos/asf/activemq/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq/commit/69fad2a1
Tree: http://git-wip-us.apache.org/repos/asf/activemq/tree/69fad2a1
Diff: http://git-wip-us.apache.org/repos/asf/activemq/diff/69fad2a1
Branch: refs/heads/master
Commit: 69fad2a135689f6c31fbada1c397f2e0dfd90d3c
Parents: b488df6
Author: Christopher L. Shannon (cshannon) <ch...@gmail.com>
Authored: Tue Aug 21 09:05:42 2018 -0400
Committer: Christopher L. Shannon (cshannon) <ch...@gmail.com>
Committed: Fri Aug 31 06:39:49 2018 -0400
----------------------------------------------------------------------
.../transport/amqp/AmqpTestSupport.java | 4 +-
.../amqp/auto/JMSClientAutoSslAuthTest.java | 2 +-
.../transport/nio/AutoInitNioSSLTransport.java | 7 ++++
.../activemq/transport/nio/NIOSSLTransport.java | 16 ++++++++
.../activemq/transport/tcp/SslTransport.java | 40 ++++++++++++++++++++
.../transport/tcp/SslTransportServer.java | 2 +
.../activemq/transport/tcp/TcpTransport.java | 3 +-
.../transport/tcp/TcpTransportServer.java | 13 +++++++
.../mqtt/auto/MQTTAutoSslAuthTest.java | 2 +-
.../transport/stomp/StompSslAuthTest.java | 6 +--
.../stomp/auto/StompAutoSslAuthTest.java | 2 +-
.../org/apache/activemq/bugs/AMQ4126Test.java | 2 +-
.../org/apache/activemq/bugs/AMQ6599Test.java | 2 +-
.../network/NetworkReconnectSslNioTest.java | 4 +-
.../transport/auto/AutoSslAuthTest.java | 4 +-
.../auto/AutoTransportConnectionsTest.java | 6 +++
.../activemq/transport/nio/NIOSSLBasicTest.java | 33 ++++++++++++----
.../activemq/transport/nio/NIOSSLLoadTest.java | 3 +-
.../transport/nio/NIOSSLWindowSizeTest.java | 20 +++++-----
.../transport/tcp/SslTransportFactoryTest.java | 8 ++++
...InconsistentConnectorPropertiesBehaviour.xml | 12 +++---
.../bugs/amq4126/JaasStompSSLBroker.xml | 8 ++--
.../JaasDualAuthenticationNetworkBridge.xml | 2 +-
...aasDualAuthenticationNetworkBridgeNioSsl.xml | 2 +-
24 files changed, 157 insertions(+), 46 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
----------------------------------------------------------------------
diff --git a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
index 69d1998..8fb26f2 100644
--- a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
+++ b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
@@ -185,7 +185,7 @@ public class AmqpTestSupport {
}
if (isUseSslConnector()) {
connector = brokerService.addConnector(
- "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+ "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
amqpSslPort = connector.getConnectUri().getPort();
amqpSslURI = connector.getPublishableConnectURI();
LOG.debug("Using amqp+ssl port " + amqpSslPort);
@@ -199,7 +199,7 @@ public class AmqpTestSupport {
}
if (isUseNioPlusSslConnector()) {
connector = brokerService.addConnector(
- "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+ "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
amqpNioPlusSslPort = connector.getConnectUri().getPort();
amqpNioPlusSslURI = connector.getPublishableConnectURI();
LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort);
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java
----------------------------------------------------------------------
diff --git a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java
index 40c1eb3..d611ee6 100644
--- a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java
+++ b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java
@@ -79,7 +79,7 @@ public class JMSClientAutoSslAuthTest extends JMSClientTestSupport {
@Override
protected String getAdditionalConfig() {
- return "?transport.needClientAuth=true";
+ return "?transport.needClientAuth=true&transport.verifyHostName=false";
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
----------------------------------------------------------------------
diff --git a/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java b/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
index 449c7ae..9301b65 100644
--- a/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
@@ -30,6 +30,7 @@ import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLParameters;
import org.apache.activemq.thread.TaskRunnerFactory;
import org.apache.activemq.util.IOExceptionSupport;
@@ -89,6 +90,12 @@ public class AutoInitNioSSLTransport extends NIOSSLTransport {
sslEngine = sslContext.createSSLEngine();
}
+ if (verifyHostName) {
+ SSLParameters sslParams = new SSLParameters();
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ sslEngine.setSSLParameters(sslParams);
+ }
+
sslEngine.setUseClientMode(false);
if (enabledCipherSuites != null) {
sslEngine.setEnabledCipherSuites(enabledCipherSuites);
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
----------------------------------------------------------------------
diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
index 64e96be..74aa342 100644
--- a/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
@@ -36,6 +36,7 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
@@ -56,6 +57,7 @@ public class NIOSSLTransport extends NIOTransport {
protected boolean wantClientAuth;
protected String[] enabledCipherSuites;
protected String[] enabledProtocols;
+ protected boolean verifyHostName = true;
protected SSLContext sslContext;
protected SSLEngine sslEngine;
@@ -119,6 +121,12 @@ public class NIOSSLTransport extends NIOTransport {
sslEngine = sslContext.createSSLEngine();
}
+ if (verifyHostName) {
+ SSLParameters sslParams = new SSLParameters();
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ sslEngine.setSSLParameters(sslParams);
+ }
+
sslEngine.setUseClientMode(false);
if (enabledCipherSuites != null) {
sslEngine.setEnabledCipherSuites(enabledCipherSuites);
@@ -543,4 +551,12 @@ public class NIOSSLTransport extends NIOTransport {
public void setEnabledProtocols(String[] enabledProtocols) {
this.enabledProtocols = enabledProtocols;
}
+
+ public boolean isVerifyHostName() {
+ return verifyHostName;
+ }
+
+ public void setVerifyHostName(boolean verifyHostName) {
+ this.verifyHostName = verifyHostName;
+ }
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
----------------------------------------------------------------------
diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
index 0c2fab9..91ba42c 100644
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
@@ -17,11 +17,14 @@
package org.apache.activemq.transport.tcp;
import java.io.IOException;
+import java.net.Socket;
+import java.net.SocketException;
import java.net.URI;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
@@ -43,6 +46,8 @@ import org.apache.activemq.wireformat.WireFormat;
*/
public class SslTransport extends TcpTransport {
+ private Boolean verifyHostName = null;
+
/**
* Connect to a remote node such as a Broker.
*
@@ -73,6 +78,37 @@ public class SslTransport extends TcpTransport {
}
}
+ @Override
+ protected void initialiseSocket(Socket sock) throws SocketException, IllegalArgumentException {
+ //This needs to default to null because this transport class is used for both a server transport
+ //and a client connection and if we default it to a value it might override the transport server setting
+ //that was configured inside TcpTransportServer
+
+ //The idea here is that if this is a server transport then verifyHostName will be set by the setter
+ //below and not be null (if using transport.verifyHostName) but if a client uses socket.verifyHostName
+ //then it will be null and we can check socketOptions
+
+ //Unfortunately we have to do this to stay consistent because every other SSL option on the client
+ //side is configured using socket. but this particular option isn't actually part of the socket
+ //so it makes it tricky
+ if (verifyHostName == null) {
+ if (socketOptions != null && socketOptions.containsKey("verifyHostName")) {
+ verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
+ socketOptions.remove("verifyHostName");
+ } else {
+ verifyHostName = true;
+ }
+ }
+
+ if (verifyHostName) {
+ SSLParameters sslParams = new SSLParameters();
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ ((SSLSocket)this.socket).setSSLParameters(sslParams);
+ }
+
+ super.initialiseSocket(sock);
+ }
+
/**
* Initialize from a ServerSocket. No access to needClientAuth is given
* since it is already set within the provided socket.
@@ -108,6 +144,10 @@ public class SslTransport extends TcpTransport {
super.doConsume(command);
}
+ public void setVerifyHostName(Boolean verifyHostName) {
+ this.verifyHostName = verifyHostName;
+ }
+
/**
* @return peer certificate chain associated with the ssl socket
*/
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
----------------------------------------------------------------------
diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
index bfd6318..5106e4f 100644
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
@@ -100,6 +100,7 @@ public class SslTransportServer extends TcpTransportServer {
*
* @throws IOException passed up from TcpTransportServer.
*/
+ @Override
public void bind() throws IOException {
super.bind();
if (needClientAuth) {
@@ -119,6 +120,7 @@ public class SslTransportServer extends TcpTransportServer {
* @return The newly return (SSL) Transport.
* @throws IOException
*/
+ @Override
protected Transport createTransport(Socket socket, WireFormat format) throws IOException {
return new SslTransport(format, (SSLSocket)socket);
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
----------------------------------------------------------------------
diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
index 04d1636..e85cbaf 100644
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
@@ -133,7 +133,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S
protected final AtomicReference<CountDownLatch> stoppedLatch = new AtomicReference<CountDownLatch>();
protected volatile int receiveCounter;
- private Map<String, Object> socketOptions;
+ protected Map<String, Object> socketOptions;
private int soLinger = Integer.MIN_VALUE;
private Boolean keepAlive;
private Boolean tcpNoDelay;
@@ -751,6 +751,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S
return true;
}
+ @Override
public WireFormat getWireFormat() {
return wireFormat;
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
----------------------------------------------------------------------
diff --git a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
index 6f3651f..61aec1d 100644
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
@@ -40,6 +40,7 @@ import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import javax.net.ServerSocketFactory;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import org.apache.activemq.Service;
@@ -79,6 +80,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
protected int minmumWireFormatVersion;
protected boolean useQueueForAccept = true;
protected boolean allowLinkStealing;
+ protected boolean verifyHostName = true;
/**
* trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer
@@ -172,6 +174,16 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
// see: https://issues.apache.org/jira/browse/AMQ-4582
//
if (socket instanceof SSLServerSocket) {
+ if (transportOptions.containsKey("verifyHostName")) {
+ verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString());
+ }
+
+ if (verifyHostName) {
+ SSLParameters sslParams = new SSLParameters();
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ ((SSLServerSocket)this.serverSocket).setSSLParameters(sslParams);
+ }
+
if (transportOptions.containsKey("enabledCipherSuites")) {
Object cipherSuites = transportOptions.remove("enabledCipherSuites");
@@ -180,6 +192,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
"Invalid transport options {enabledCipherSuites=%s}", cipherSuites));
}
}
+
}
//AMQ-6599 - don't strip out set properties on the socket as we need to set them
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java
----------------------------------------------------------------------
diff --git a/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java b/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java
index 4fae9c4..3fb67a4 100644
--- a/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java
+++ b/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java
@@ -55,7 +55,7 @@ public class MQTTAutoSslAuthTest extends MQTTTestSupport {
*/
public MQTTAutoSslAuthTest(String protocol) {
this.protocol = protocol;
- protocolConfig = "transport.needClientAuth=true";
+ protocolConfig = "transport.needClientAuth=true&transport.verifyHostName=false&";
}
@Override
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
----------------------------------------------------------------------
diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
index 9b4d1c4..d295dfb 100644
--- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
+++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
@@ -54,13 +54,13 @@ public class StompSslAuthTest extends StompTest {
@Override
public void addOpenWireConnector() throws Exception {
- TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?needClientAuth=true");
- cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString());
+ TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false");
+ cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false");
}
@Override
protected String getAdditionalConfig() {
- return "?needClientAuth=true";
+ return "?needClientAuth=true&transport.verifyHostName=false";
}
// NOOP - These operations handled by jaas cert login module
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java
----------------------------------------------------------------------
diff --git a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java
index f878cf2..20f5edb 100644
--- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java
+++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java
@@ -102,7 +102,7 @@ public class StompAutoSslAuthTest extends StompTestSupport {
@Override
protected String getAdditionalConfig() {
- return "?transport.needClientAuth=true";
+ return "?transport.needClientAuth=true&transport.verifyHostName=false";
}
@Override
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java
index 4d6d39c..60245f0 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java
@@ -121,7 +121,7 @@ public class AMQ4126Test {
public void openwireConnectTo(String connectorName, String username, String password) throws Exception {
URI brokerURI = broker.getConnectorByName(connectorName).getConnectUri();
- String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort();
+ String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort() + "?socket.verifyHostName=false";
ActiveMQSslConnectionFactory cf = new ActiveMQSslConnectionFactory(uri);
cf.setTrustStore("org/apache/activemq/security/broker1.ks");
cf.setTrustStorePassword("password");
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java
index 72c9b88..3de3ee9 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java
@@ -71,7 +71,7 @@ public class AMQ6599Test {
brokerService.setPersistent(false);
TransportConnector connector = brokerService.addConnector(protocol +
- "://localhost:0?transport.soTimeout=3500");
+ "://localhost:0?transport.soTimeout=3500&transport.verifyHostName=false");
connector.setName("connector");
uri = connector.getPublishableConnectString();
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java
index 0c3b1ed..b97fdcf 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java
@@ -47,14 +47,14 @@ public class NetworkReconnectSslNioTest {
remote.setSslContext(sslContext);
remote.setUseJmx(false);
remote.setPersistent(false);
- final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0");
+ final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0?transport.verifyHostName=false");
remote.start();
BrokerService local = new BrokerService();
local.setSslContext(sslContext);
local.setUseJmx(false);
local.setPersistent(false);
- final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + ")?useExponentialBackOff=false&initialReconnectDelay=10");
+ final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + "?socket.verifyHostName=false" + ")?useExponentialBackOff=false&initialReconnectDelay=10");
local.start();
assertTrue("Bridge created", Wait.waitFor(new Wait.Condition() {
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java
index be6043b..f24620d 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java
@@ -75,7 +75,7 @@ public class AutoSslAuthTest {
BrokerService brokerService = new BrokerService();
brokerService.setPersistent(false);
- TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true");
+ TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
connector.setName("auto");
uri = connector.getPublishableConnectString();
@@ -126,7 +126,7 @@ public class AutoSslAuthTest {
@Test(timeout = 60000)
public void testConnect() throws Exception {
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory();
- factory.setBrokerURL(uri);
+ factory.setBrokerURL(uri + "?socket.verifyHostName=false");
//Create 5 connections to make sure all are properly set
for (int i = 0; i < 5; i++) {
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
index 02a72cf..1de13ac 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
@@ -103,8 +103,14 @@ public class AutoTransportConnectionsTest {
}
public void configureConnectorAndStart(String bindAddress) throws Exception {
+ if (bindAddress.contains("ssl")) {
+ bindAddress += bindAddress.contains("?") ? "&transport.verifyHostName=false" : "?transport.verifyHostName=false";
+ }
connector = service.addConnector(bindAddress);
connectionUri = connector.getPublishableConnectString();
+ if (connectionUri.contains("ssl")) {
+ connectionUri += connectionUri.contains("?") ? "&socket.verifyHostName=false" : "?socket.verifyHostName=false";
+ }
service.start();
service.waitUntilStarted();
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
index 473d785..d9ea3ae 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
@@ -17,14 +17,14 @@
package org.apache.activemq.transport.nio;
import javax.jms.Connection;
+import javax.jms.JMSException;
import javax.jms.Message;
import javax.jms.MessageConsumer;
import javax.jms.MessageProducer;
import javax.jms.Queue;
import javax.jms.Session;
import javax.jms.TextMessage;
-
-import junit.framework.TestCase;
+import javax.net.ssl.SSLHandshakeException;
import org.apache.activemq.ActiveMQConnectionFactory;
import org.apache.activemq.broker.BrokerService;
@@ -33,6 +33,8 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import junit.framework.TestCase;
+
public class NIOSSLBasicTest {
public static final String KEYSTORE_TYPE = "jks";
@@ -78,25 +80,40 @@ public class NIOSSLBasicTest {
@Test
public void basicConnector() throws Exception {
- BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true");
- basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
+ BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
+ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
stopBroker(broker);
}
@Test
public void enabledCipherSuites() throws Exception {
- BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
- basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
+ BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256&transport.verifyHostName=false");
+ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
stopBroker(broker);
}
@Test
public void enabledProtocols() throws Exception {
- BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2");
- basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
+ BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.verifyHostName=false");
+ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
stopBroker(broker);
}
+ //Client/server is missing verifyHostName=false so it should fail as cert doesn't have right host name
+ @Test(expected = Exception.class)
+ public void verifyHostNameError() throws Exception {
+ BrokerService broker = null;
+ try {
+ broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true");
+ basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
+ } finally {
+ if (broker != null) {
+ stopBroker(broker);
+ }
+ }
+ }
+
+
public void basicSendReceive(String uri) throws Exception {
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri);
Connection connection = factory.createConnection();
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
index 4751c9f..4a92d66 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
@@ -74,7 +74,7 @@ public class NIOSSLLoadTest {
broker = new BrokerService();
broker.setPersistent(false);
broker.setUseJmx(false);
- connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
+ connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
broker.start();
broker.waitUntilStarted();
@@ -113,6 +113,7 @@ public class NIOSSLLoadTest {
}
Wait.waitFor(new Wait.Condition() {
+ @Override
public boolean isSatisified() throws Exception {
return getReceived() == PRODUCER_COUNT * MESSAGE_COUNT;
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java
index 17cdc41..e92b4fe 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java
@@ -30,11 +30,11 @@ import javax.jms.Session;
@SuppressWarnings("javadoc")
public class NIOSSLWindowSizeTest extends TestCase {
-
+
BrokerService broker;
Connection connection;
Session session;
-
+
public static final String KEYSTORE_TYPE = "jks";
public static final String PASSWORD = "password";
public static final String SERVER_KEYSTORE = "src/test/resources/server.keystore";
@@ -46,7 +46,7 @@ public class NIOSSLWindowSizeTest extends TestCase {
public static final int MESSAGE_SIZE = 65536;
byte[] messageData;
-
+
@Override
protected void setUp() throws Exception {
System.setProperty("javax.net.ssl.trustStore", TRUST_KEYSTORE);
@@ -59,19 +59,19 @@ public class NIOSSLWindowSizeTest extends TestCase {
broker = new BrokerService();
broker.setPersistent(false);
broker.setUseJmx(false);
- TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true");
+ TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
broker.start();
broker.waitUntilStarted();
-
+
messageData = new byte[MESSAGE_SIZE];
for (int i = 0; i < MESSAGE_SIZE; i++)
{
messageData[i] = (byte) (i & 0xff);
}
-
+
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("nio+ssl://localhost:" + connector.getConnectUri().getPort());
connection = factory.createConnection();
- session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
connection.start();
}
@@ -100,14 +100,14 @@ public class NIOSSLWindowSizeTest extends TestCase {
prod.send(msg);
} finally {
prod.close();
- }
+ }
MessageConsumer cons = null;
- try
+ try
{
cons = session.createConsumer(dest);
assertNotNull(cons.receive(30000L));
} finally {
cons.close();
- }
+ }
}
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java
index af9d672..cfe1f25 100644
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java
@@ -33,10 +33,12 @@ public class SslTransportFactoryTest extends TestCase {
private SslTransportFactory factory;
private boolean verbose;
+ @Override
protected void setUp() throws Exception {
factory = new SslTransportFactory();
}
+ @Override
protected void tearDown() throws Exception {
super.tearDown();
}
@@ -96,6 +98,12 @@ public class SslTransportFactoryTest extends TestCase {
// -1 since the option range is [-1,1], not [0,2].
optionSettings[j] = getMthNaryDigit(i, j, 3) - 1;
+ //We now always set options to a default we default verifyHostName to true
+ //so we setSSLParameters so make the not set value = 0
+ if (optionSettings[j] == -1) {
+ optionSettings[j] = 0;
+ }
+
if (optionSettings[j] != -1) {
options.put(optionNames[j], optionSettings[j] == 1 ? "true" : "false");
}
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml
index c672f6d..0241f67 100644
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml
@@ -36,12 +36,12 @@
</sslContext>
<transportConnectors>
- <transportConnector name="stomp+ssl+special" uri="stomp+ssl://0.0.0.0:0?needClientAuth=true" />
- <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" />
- <transportConnector name="stomp+nio+ssl+special" uri="stomp+nio+ssl://0.0.0.0:0?needClientAuth=true" />
- <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
- <transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:0?transport.needClientAuth=true" />
- <transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+ <transportConnector name="stomp+ssl+special" uri="stomp+ssl://0.0.0.0:0?needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="stomp+nio+ssl+special" uri="stomp+nio+ssl://0.0.0.0:0?needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
</transportConnectors>
</broker>
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml
index 70af5fa..3778173 100644
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml
@@ -36,10 +36,10 @@
</sslContext>
<transportConnectors>
- <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" />
- <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
- <transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true" />
- <transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+ <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
+ <transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
</transportConnectors>
</broker>
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
index faae4db..e2eddb9 100644
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
@@ -171,7 +171,7 @@
</systemUsage>
<transportConnectors>
- <transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true"/>
+ <transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true&transport.verifyHostName=false"/>
</transportConnectors>
</broker>
</beans>
http://git-wip-us.apache.org/repos/asf/activemq/blob/69fad2a1/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
----------------------------------------------------------------------
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
index 9e5e7d1..eb3d2fd 100644
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
@@ -171,7 +171,7 @@
</systemUsage>
<transportConnectors>
- <transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true"/>
+ <transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true&transport.verifyHostName=false"/>
</transportConnectors>
</broker>
</beans>