activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Piotr Klimczak (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-5295) HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport uses wrong SSLSocketFactory
Date Wed, 30 Jul 2014 10:11:38 GMT

    [ https://issues.apache.org/jira/browse/AMQ-5295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079137#comment-14079137
] 

Piotr Klimczak commented on AMQ-5295:
-------------------------------------

I've just hit a logging bug.
When certificate is not trusted, then real reason is not thrown.
It is also not logged unless debug is enabled.
And then code fails with NPE in much different part of code not pointing to the real cause
of problem.
When problems with keys from SSL security point of view was solved, everything started to
work.

So now working on patches.

> HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport
uses wrong SSLSocketFactory
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-5295
>                 URL: https://issues.apache.org/jira/browse/AMQ-5295
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Connector
>    Affects Versions: 5.9.0
>         Environment: JBoss Fuse 6.1
>            Reporter: Piotr Klimczak
>              Labels: SSL, TLS, mutualSSL
>   Original Estimate: 16h
>  Remaining Estimate: 16h
>
> HttpsClientTransport is getting wrong SSLSocketFactory.
> The problem is here:
> {code}
>     private SchemeRegistry createSchemeRegistry() {
>         SchemeRegistry schemeRegistry = new SchemeRegistry();
>         try {
>             // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
>             // javax.net.ssl.trustStore, etc, properties by default
>             SSLSocketFactory sslSocketFactory =
>                     new SSLSocketFactory((javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory.getDefault(),
>                     SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
>             schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
>             return schemeRegistry;
>         } catch (Exception e) {
>             throw new IllegalStateException("Failure trying to create scheme registry",
e);
>         }
>     }
> {code}
> The problem with that code is, that it never take SSLSocketFactory from spring context.
So the one defined in XML is ignored.
> So it's code have to be replaced with:
> {code}
>     private SchemeRegistry createSchemeRegistry() {
>         SchemeRegistry schemeRegistry = new SchemeRegistry();
>         try {
>             // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
>             // javax.net.ssl.trustStore, etc, properties by default
>             SSLSocketFactory sslSocketFactory = createSocketFactory();
>             schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
>             return schemeRegistry;
>         } catch (Exception e) {
>             throw new IllegalStateException("Failure trying to create scheme registry",
e);
>         }
>     }
> {code}
> And then new method should be added:
> {code}
>     /**
>      * Creates a new SSL SocketFactory. The given factory will use user-provided
>      * key and trust managers (if the user provided them).
>      *
>      * @return Newly created (Ssl)SocketFactory.
>      * @throws IOException
>      */
>     protected SocketFactory createSocketFactory() throws IOException {
>         if (SslContext.getCurrentSslContext() != null) {
>             SslContext ctx = SslContext.getCurrentSslContext();
>             try {
>                 return ctx.getSSLContext().getSocketFactory();
>             } catch (Exception e) {
>                 throw IOExceptionSupport.create(e);
>             }
>         } else {
>             return SSLSocketFactory.getDefault();
>         }
>     }
> {code}
> This is consistent solution with other transports.
> I will prepare patches and tests for this scenerio.
> Greetings
> Piotr Klimczak



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message