qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From MattiasÖ <mattias.osterb...@wirelesscar.com>
Subject qpid-amqp-1-0-client-jms and TLS 1.2
Date Thu, 29 Jan 2015 15:52:21 GMT

I have searched the archives for information on the following issue but have
not found any. Please point me in the right direction if there is any :)

I'm trying to achieve a connection towards a broker that only accepts AMQP
1.0 over a TLS 1.2 connection.
In order to do this, I'm using the qpid-amqp-1-0-client-jms lib. However as
far as I can see, this does not seem doable.

I would like to know if this:
a) Is doable by some configuration of the lib that I haven't found?
b) Is a feature that is in the pipe to do, or can it be requested?
c) Is something that I could/should code a patch for and send in for a

Here are my technical findings on the issue:

1) I'm creating a Connection via
2) ConnectionFactoryImpl uses org.apache.qpid.amqp_1_0.client.SSLUtil to
create a SSLContext using provided truststore, keystore etc..
3) SSLUtil initiates a SSLContext with a hardcoded String:
4) In Oracle JDK 7, the file "<jdk installation
path>\jre\lib\security\java.security" register
com.sun.net.ssl.internal.ssl.Provider, an extension of
sun.security.ssl.SunJSSE, as the default JSSE provider. This class is, in
turn, configures that sun.security.ssl.SSLContextImpl$TLS10Context should be
used as SSLContext for the alias "TLS".
5) TLS10Context is only registering TLSv1 and SSLv3 as the default protocols
to use.
6) This means that when org.apache.qpid.amqp_1_0.client.TCPTransportProvier
(which btw lacks a "d" in the name) is creating the underlying connection
between the qpid client and the broker, the SSLSocket only gets enabled with
"TLSv1" and "SSLv3".

I've tried to change TRANSPORT_LAYER_SECURITY_CODE to "TLSv1.2" and
recompile the qpid-amqp-1-0-client-jms lib and use this recompiled version
instead. This was working successfully and gave me a connection that can
connect to a broker configured with any of the following protocols ["SSLv3",
"TLSv1", "TLSv1.1", "TLSv1.2"].
My next test is to once again use "TLS" in SSLUtil, but instead provide
ConnectionFactoryImpl with a list of protocols that I want to be enabled.
These will then be sent downwards through the stack to the
TCPTransportProvier that can apply these directly to the SSLSocket per

All in all, can anyone involved tell me which of a, b or c above, is correct
or should be done?

Best regards,

View this message in context: http://qpid.2158936.n2.nabble.com/qpid-amqp-1-0-client-jms-and-TLS-1-2-tp7619126.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

View raw message