qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Godfrey <rob.j.godf...@gmail.com>
Subject Re: qpid-amqp-1-0-client-jms and TLS 1.2
Date Thu, 29 Jan 2015 21:57:51 GMT
I've committed a change which should allow you to set the SSL protocol (and
SSL provider) either as a System Property, or - if you are using the
Connection Factory, using a URL option (see
https://issues.apache.org/jira/browse/QPID-6349)

-- Rob

On 29 January 2015 at 21:25, Rob Godfrey <rob.j.godfrey@gmail.com> wrote:

> Hi (again) Mattias,
>
> Out of interest, which JDK version and platform are you seeing this on.
> Testing with 7u75 on my Mac I see both getInstance("TLS") and
> getInstance("TLSv1.2") return the same set of enabled protocols:
>  ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]
>
> The Oracle documentation is wonderfully vague on what you can expect:
>  (from
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
> )
>
> TLS : Supports some version of TLS; may support other versions
> TLSv1.2 : Supports RFC 5246: TLS version 1.2
> <http://www.ietf.org/rfc/rfc5246.txt> ; may support other versions
>
> My inclination is to leave the default as "TLS" but the user to set both
> the protocol and the provider as system properties, e.g. in your case you
> could do
>
> System.setProperty("qpid.ssl.protocol", "TLSv1.2");
>
> (or obviously set via -D on the command line).
>
> Would that work for you as a solution?
>
> -- Rob
>
> On 29 January 2015 at 20:26, Rob Godfrey <rob.j.godfrey@gmail.com> wrote:
>
>> Hi Mattias,
>>
>> apologies for this, I'll make a fix along the lines you suggested and
>> apply it to trunk this evening.  Thank you for spending the time to
>> investigate the issue and suggest the solution - much appreciated!
>>
>> -- Rob
>>
>> On 29 January 2015 at 16:52, MattiasÖ <mattias.osterberg@wirelesscar.com>
>> wrote:
>>
>>> Hi!
>>>
>>> I have searched the archives for information on the following issue but
>>> have
>>> not found any. Please point me in the right direction if there is any :)
>>>
>>> I'm trying to achieve a connection towards a broker that only accepts
>>> AMQP
>>> 1.0 over a TLS 1.2 connection.
>>> In order to do this, I'm using the qpid-amqp-1-0-client-jms lib. However
>>> as
>>> far as I can see, this does not seem doable.
>>>
>>> I would like to know if this:
>>> a) Is doable by some configuration of the lib that I haven't found?
>>> b) Is a feature that is in the pipe to do, or can it be requested?
>>> c) Is something that I could/should code a patch for and send in for a
>>> review?
>>>
>>> Here are my technical findings on the issue:
>>>
>>> 1) I'm creating a Connection via
>>> org.apache.qpid.amqp_1_0.jms.impl.ConnectionFactoryImpl
>>> 2) ConnectionFactoryImpl uses org.apache.qpid.amqp_1_0.client.SSLUtil to
>>> create a SSLContext using provided truststore, keystore etc..
>>> 3) SSLUtil initiates a SSLContext with a hardcoded String:
>>> TRANSPORT_LAYER_SECURITY_CODE = "TLS"
>>> 4) In Oracle JDK 7, the file "<jdk installation
>>> path>\jre\lib\security\java.security" register
>>> com.sun.net.ssl.internal.ssl.Provider, an extension of
>>> sun.security.ssl.SunJSSE, as the default JSSE provider. This class is, in
>>> turn, configures that sun.security.ssl.SSLContextImpl$TLS10Context
>>> should be
>>> used as SSLContext for the alias "TLS".
>>> 5) TLS10Context is only registering TLSv1 and SSLv3 as the default
>>> protocols
>>> to use.
>>> 6) This means that when
>>> org.apache.qpid.amqp_1_0.client.TCPTransportProvier
>>> (which btw lacks a "d" in the name) is creating the underlying connection
>>> between the qpid client and the broker, the SSLSocket only gets enabled
>>> with
>>> "TLSv1" and "SSLv3".
>>>
>>> I've tried to change TRANSPORT_LAYER_SECURITY_CODE to "TLSv1.2" and
>>> recompile the qpid-amqp-1-0-client-jms lib and use this recompiled
>>> version
>>> instead. This was working successfully and gave me a connection that can
>>> connect to a broker configured with any of the following protocols
>>> ["SSLv3",
>>> "TLSv1", "TLSv1.1", "TLSv1.2"].
>>> My next test is to once again use "TLS" in SSLUtil, but instead provide
>>> ConnectionFactoryImpl with a list of protocols that I want to be enabled.
>>> These will then be sent downwards through the stack to the
>>> TCPTransportProvier that can apply these directly to the SSLSocket per
>>> connection.
>>>
>>> All in all, can anyone involved tell me which of a, b or c above, is
>>> correct
>>> or should be done?
>>>
>>> Best regards,
>>> Mattias
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://qpid.2158936.n2.nabble.com/qpid-amqp-1-0-client-jms-and-TLS-1-2-tp7619126.html
>>> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>
>>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message