activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric White (JIRA)" <j...@apache.org>
Subject [jira] Commented: (AMQ-1659) SSL Transport configured in wantClientAuth mode never asks for the client certificate during the SSL Handshake
Date Fri, 11 Apr 2008 08:21:43 GMT

    [ https://issues.apache.org/activemq/browse/AMQ-1659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=42201#action_42201
] 

Eric White commented on AMQ-1659:
---------------------------------



The reason I though throwing an exception was a good idea was, in
reading the JDK API, these two options are really mutually exclusive,
if you set one the other is unset.  So, my thinking was URIs
containing: needClientAuth=true&wantClientAuth=true are technically
incorrect.

That being said, I prefer the approach that you took.  Because from
the end users perspective it is very difficult to know that
needClientAuth and wantClientAuth override each other deep down inside
of the JDK.  So as you say if the user configuring ActiveMQ and sets
needClientAuth then that should take precedence over wantClientAuth.
This is because needClientAuth is more restrictive of the two.

I'm sorry I didn't run the tests, that was a lapse of judgment on my part.

Would it be possible to update this page:
http://activemq.apache.org/contributing.html
To include something like this in the "Submitting patches" section:

Quick Check List:
1. Does the patch apply clean to the version it is supposed to fix.
2. Does the resutling patched code complie
3. Do the Unit tests run cleanly

All of these are obvious, but it never hurts, to remind everyone.

Thank you very much for fixing this in time for ActiveMQ 4.1.2.  I
really appreciate the quick turn around.

Regards,
Eric


> SSL Transport configured in wantClientAuth mode never asks for the client certificate
during the SSL Handshake
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-1659
>                 URL: https://issues.apache.org/activemq/browse/AMQ-1659
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Transport
>    Affects Versions: 4.1.1, 5.0.0
>         Environment: I think this is for all environments, it may be JDK dependent though.
> I tested on:
> Linux  2.6.20-gentoo-r7
> java version "1.6.0"
> Java(TM) SE Runtime Environment (build 1.6.0-b105)
> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0-b105, mixed mode)
>            Reporter: Eric White
>            Assignee: David Jencks
>             Fix For: 4.1.2, 5.1.0
>
>         Attachments: amq-411-complex-version.patch, amq-411-simple-version.patch, amq-500-complex-version.patch,
amq-500-simple-version.patch
>
>   Original Estimate: 2 days
>  Remaining Estimate: 2 days
>
> See: http://java.sun.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setWantClientAuth(boolean)
> "
> A socket's client authentication setting is one of the following:
>     * client authentication required
>     * client authentication requested
>     * no client authentication desired 
> "
> In the API it indicates that if you call either setWantClientAuth, or setNeedClientAuth
it will override the call to the other.
> Therefor I believe the following code only allows for ActiveMQ to be in two states:
> * Client Authentication Required (needClientAuth==true)
> * No client Authentication Desired (needClientAuth==false)
> activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
> As setWantClientAuth is overridden by setNeedClientAuth.
> public void bind() throws IOException {
>   super.bind();
>   ((SSLServerSocket)this.serverSocket).setWantClientAuth(wantClientAuth);
>   ((SSLServerSocket)this.serverSocket).setNeedClientAuth(needClientAuth);
> }
> I believe this the same issue as this Jetty issue: http://jira.codehaus.org/browse/JETTY-86

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message