activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tab...@apache.org
Subject svn commit: r920928 - in /activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp: SslTransport.cs SslTransportFactory.cs
Date Tue, 09 Mar 2010 15:46:18 GMT
Author: tabish
Date: Tue Mar  9 15:46:18 2010
New Revision: 920928

URL: http://svn.apache.org/viewvc?rev=920928&view=rev
Log:
https://issues.apache.org/activemq/browse/AMQNET-239

Update the SslTransport to add an acceptInvalidBrokerCert option and to supply a client Certificate
if the configuration supplies a location to read one from.

Modified:
    activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
    activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs

Modified: activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
URL: http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs?rev=920928&r1=920927&r2=920928&view=diff
==============================================================================
--- activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
(original)
+++ activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
Tue Mar  9 15:46:18 2010
@@ -27,10 +27,11 @@ namespace Apache.NMS.ActiveMQ.Transport.
 {
     public class SslTransport : TcpTransport
     {
-        private string brokerCertLocation;
-        private string brokerCertPassword;
         private string clientCertLocation;
         private string clientCertPassword;
+        
+        private bool acceptInvalidBrokerCert = false;
+        
         private SslStream sslStream;
 
         public SslTransport(Uri location, Socket socket, IWireFormat wireFormat) :
@@ -43,29 +44,36 @@ namespace Apache.NMS.ActiveMQ.Transport.
             Dispose(false);
         }
 
-        public string BrokerCertLocation
-        {
-            get { return this.brokerCertLocation; }
-            set { this.brokerCertLocation = value; }
-        }
-
-        public string BrokerCertPassword
-        {
-            get { return this.brokerCertPassword; }
-            set { this.brokerCertPassword = value; }
-        }
-
+        /// <summary>
+        /// Indicates the location of the Client Certificate to use when the Broker
+        /// is configured for Client Auth (not common).  The SslTransport will supply
+        /// this certificate to the SslStream via the SelectLocalCertificate method.
+        /// </summary>
         public string ClientCertLocation
         {
             get { return this.clientCertLocation; }
             set { this.clientCertLocation = value; }
         }
 
+        /// <summary>
+        /// Password for the Client Certificate specified via configuration.
+        /// </summary>
         public string ClientCertPassword
         {
             get { return this.clientCertPassword; }
             set { this.clientCertPassword = value; }
         }
+       
+        /// <summary>
+        /// Indicates if the SslTransport should ignore any errors in the supplied Broker
+        /// certificate and connect anyway, this is useful in testing with a default AMQ
+        /// broker certificate that is self signed.
+        /// </summary>
+        public bool AcceptInvalidBrokerCert
+        {
+            get { return this.acceptInvalidBrokerCert; }
+            set { this.acceptInvalidBrokerCert = value; }
+        }
         
         protected override Stream CreateSocketStream()
         {
@@ -73,11 +81,19 @@ namespace Apache.NMS.ActiveMQ.Transport.
             {
                 return this.sslStream;
             }
+            
+            LocalCertificateSelectionCallback clientCertSelect = null;
+            
+            if(this.clientCertLocation != null )
+            {
+                clientCertSelect = new LocalCertificateSelectionCallback(SelectLocalCertificate);
+            }
 
             this.sslStream = new SslStream(
                 new NetworkStream(this.socket), 
                 false,
-                new RemoteCertificateValidationCallback(ValidateServerCertificate));
+                new RemoteCertificateValidationCallback(ValidateServerCertificate),
+                clientCertSelect );
 
             try
             {
@@ -101,10 +117,10 @@ namespace Apache.NMS.ActiveMQ.Transport.
             return sslStream;
         }
 
-        private static bool ValidateServerCertificate(object sender,
-                                                      X509Certificate certificate,
-                                                      X509Chain chain,
-                                                      SslPolicyErrors sslPolicyErrors)
+        private bool ValidateServerCertificate(object sender,
+                                               X509Certificate certificate,
+                                               X509Chain chain,
+                                               SslPolicyErrors sslPolicyErrors)
         {
             Tracer.DebugFormat("ValidateServerCertificate: Issued By {0}", certificate.Issuer);
             if(sslPolicyErrors == SslPolicyErrors.None)
@@ -126,9 +142,27 @@ namespace Apache.NMS.ActiveMQ.Transport.
             {
                 Tracer.Error("Mismatch between Remote Cert Name.");
             }
+            else if(sslPolicyErrors == SslPolicyErrors.RemoteCertificateNotAvailable)
+            {
+                Tracer.Error("The Remote Certificate was not Available.");
+            }
 
-            // Just ignore any cert errors for now.
-            return true;
+            // Configuration may or may not allow us to connect with an invliad broker cert.
+            return AcceptInvalidBrokerCert;
         }
+        
+        private X509Certificate SelectLocalCertificate(object sender,
+                                                       string targetHost, 
+                                                       X509CertificateCollection localCertificates,

+                                                       X509Certificate remoteCertificate,

+                                                       string[] acceptableIssuers)
+        {    
+            Tracer.Debug("Client is selecting a local certificate.");
+        
+            X509Certificate2 certificate = new X509Certificate2( clientCertLocation, clientCertPassword
);
+                        
+            return certificate;
+        }
+        
     }
 }

Modified: activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
URL: http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs?rev=920928&r1=920927&r2=920928&view=diff
==============================================================================
--- activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
(original)
+++ activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
Tue Mar  9 15:46:18 2010
@@ -23,26 +23,13 @@ namespace Apache.NMS.ActiveMQ.Transport.
 {
 	public class SslTransportFactory : TcpTransportFactory
 	{
-        private string brokerCertLocation;
-        private string brokerCertPassword;
         private string clientCertLocation;
         private string clientCertPassword;
+        private bool acceptInvalidBrokerCert = false;
         
         public SslTransportFactory() : base()
         {
         }
-                
-        public string BrokerCertLocation
-        {
-            get { return this.brokerCertLocation; }
-            set { this.brokerCertLocation = value; }
-        }
-
-        public string BrokerCertPassword
-        {
-            get { return this.brokerCertPassword; }
-            set { this.brokerCertPassword = value; }
-        }
 
         public string ClientCertLocation
         {
@@ -56,15 +43,20 @@ namespace Apache.NMS.ActiveMQ.Transport.
             set { this.clientCertPassword = value; }
         }        
 
+        public bool AcceptInvalidBrokerCert
+        {
+            get { return this.acceptInvalidBrokerCert; }
+            set { this.acceptInvalidBrokerCert = value; }
+        }
+        
 		protected override ITransport DoCreateTransport(Uri location, Socket socket, IWireFormat
wireFormat )
 		{
             Tracer.Debug("Creating new instance of the SSL Transport.");
 			SslTransport transport = new SslTransport(location, socket, wireFormat);
             
-            transport.BrokerCertLocation = BrokerCertLocation;
-            transport.BrokerCertPassword = BrokerCertPassword;
             transport.ClientCertLocation = ClientCertLocation;
             transport.ClientCertPassword = ClientCertPassword;
+            transport.AcceptInvalidBrokerCert = AcceptInvalidBrokerCert;
             
             return transport;
 		}		



Mime
View raw message