Return-Path: X-Original-To: apmail-activemq-dev-archive@www.apache.org Delivered-To: apmail-activemq-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CD70811ACC for ; Tue, 5 Aug 2014 16:18:13 +0000 (UTC) Received: (qmail 36772 invoked by uid 500); 5 Aug 2014 16:18:13 -0000 Delivered-To: apmail-activemq-dev-archive@activemq.apache.org Received: (qmail 36718 invoked by uid 500); 5 Aug 2014 16:18:13 -0000 Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list dev@activemq.apache.org Received: (qmail 36706 invoked by uid 99); 5 Aug 2014 16:18:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Aug 2014 16:18:13 +0000 Date: Tue, 5 Aug 2014 16:18:13 +0000 (UTC) From: "Piotr Klimczak (JIRA)" To: dev@activemq.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AMQ-5295) HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport uses wrong SSLSocketFactory MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMQ-5295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14086454#comment-14086454 ] Piotr Klimczak commented on AMQ-5295: ------------------------------------- Pull request created: https://github.com/apache/activemq/pull/40 Patch submitted on behalf of WM Promus by Piotr Klimczak > HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport uses wrong SSLSocketFactory > ----------------------------------------------------------------------------------------------------------------- > > Key: AMQ-5295 > URL: https://issues.apache.org/jira/browse/AMQ-5295 > Project: ActiveMQ > Issue Type: Bug > Components: Connector > Affects Versions: 5.9.0 > Environment: JBoss Fuse 6.1 > Reporter: Piotr Klimczak > Labels: SSL, TLS, mutualSSL > Original Estimate: 16h > Remaining Estimate: 16h > > HttpsClientTransport is getting wrong SSLSocketFactory. > The problem is here: > {code} > private SchemeRegistry createSchemeRegistry() { > SchemeRegistry schemeRegistry = new SchemeRegistry(); > try { > // register the default socket factory so that it looks at the javax.net.ssl.keyStore, > // javax.net.ssl.trustStore, etc, properties by default > SSLSocketFactory sslSocketFactory = > new SSLSocketFactory((javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory.getDefault(), > SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); > schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory)); > return schemeRegistry; > } catch (Exception e) { > throw new IllegalStateException("Failure trying to create scheme registry", e); > } > } > {code} > The problem with that code is, that it never take SSLSocketFactory from spring context. So the one defined in XML is ignored. > So it's code have to be replaced with: > {code} > private SchemeRegistry createSchemeRegistry() { > SchemeRegistry schemeRegistry = new SchemeRegistry(); > try { > // register the default socket factory so that it looks at the javax.net.ssl.keyStore, > // javax.net.ssl.trustStore, etc, properties by default > SSLSocketFactory sslSocketFactory = createSocketFactory(); > schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory)); > return schemeRegistry; > } catch (Exception e) { > throw new IllegalStateException("Failure trying to create scheme registry", e); > } > } > {code} > And then new method should be added: > {code} > /** > * Creates a new SSL SocketFactory. The given factory will use user-provided > * key and trust managers (if the user provided them). > * > * @return Newly created (Ssl)SocketFactory. > * @throws IOException > */ > protected SocketFactory createSocketFactory() throws IOException { > if (SslContext.getCurrentSslContext() != null) { > SslContext ctx = SslContext.getCurrentSslContext(); > try { > return ctx.getSSLContext().getSocketFactory(); > } catch (Exception e) { > throw IOExceptionSupport.create(e); > } > } else { > return SSLSocketFactory.getDefault(); > } > } > {code} > This is consistent solution with other transports. > I will prepare patches and tests for this scenerio. > Greetings > Piotr Klimczak -- This message was sent by Atlassian JIRA (v6.2#6252)