[prev in list] [next in list] [prev in thread] [next in thread]
List: activemq-dev
Subject: [jira] [Commented] (AMQ-5295) HTTPS Network Connector doesn't work with Mutual authentication- HTTPS
From: "Piotr Klimczak (JIRA)" <jira () apache ! org>
Date: 2014-07-30 10:11:38
Message-ID: JIRA.12730591.1406664255080.74538.1406715098987 () arcas
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/AMQ-5295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079137#comment-14079137 \
]
Piotr Klimczak commented on AMQ-5295:
-------------------------------------
I've just hit a logging bug.
When certificate is not trusted, then real reason is not thrown.
It is also not logged unless debug is enabled.
And then code fails with NPE in much different part of code not pointing to the real \
cause of problem. When problems with keys from SSL security point of view was solved, \
everything started to work.
So now working on patches.
> HTTPS Network Connector doesn't work with Mutual authentication- \
> HTTPSClientTransport uses wrong SSLSocketFactory
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-5295
> URL: https://issues.apache.org/jira/browse/AMQ-5295
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.9.0
> Environment: JBoss Fuse 6.1
> Reporter: Piotr Klimczak
> Labels: SSL, TLS, mutualSSL
> Original Estimate: 16h
> Remaining Estimate: 16h
>
> HttpsClientTransport is getting wrong SSLSocketFactory.
> The problem is here:
> {code}
> private SchemeRegistry createSchemeRegistry() {
> SchemeRegistry schemeRegistry = new SchemeRegistry();
> try {
> // register the default socket factory so that it looks at the \
> javax.net.ssl.keyStore, // javax.net.ssl.trustStore, etc, properties by default
> SSLSocketFactory sslSocketFactory =
> new SSLSocketFactory((javax.net.ssl.SSLSocketFactory) \
> javax.net.ssl.SSLSocketFactory.getDefault(), \
> SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); schemeRegistry.register(new \
> Scheme("https", getRemoteUrl().getPort(), sslSocketFactory)); return \
> schemeRegistry; } catch (Exception e) {
> throw new IllegalStateException("Failure trying to create scheme registry", e);
> }
> }
> {code}
> The problem with that code is, that it never take SSLSocketFactory from spring \
> context. So the one defined in XML is ignored. So it's code have to be replaced \
> with: {code}
> private SchemeRegistry createSchemeRegistry() {
> SchemeRegistry schemeRegistry = new SchemeRegistry();
> try {
> // register the default socket factory so that it looks at the \
> javax.net.ssl.keyStore, // javax.net.ssl.trustStore, etc, properties by default
> SSLSocketFactory sslSocketFactory = createSocketFactory();
> schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), \
> sslSocketFactory)); return schemeRegistry;
> } catch (Exception e) {
> throw new IllegalStateException("Failure trying to create scheme registry", e);
> }
> }
> {code}
> And then new method should be added:
> {code}
> /**
> * Creates a new SSL SocketFactory. The given factory will use user-provided
> * key and trust managers (if the user provided them).
> *
> * @return Newly created (Ssl)SocketFactory.
> * @throws IOException
> */
> protected SocketFactory createSocketFactory() throws IOException {
> if (SslContext.getCurrentSslContext() != null) {
> SslContext ctx = SslContext.getCurrentSslContext();
> try {
> return ctx.getSSLContext().getSocketFactory();
> } catch (Exception e) {
> throw IOExceptionSupport.create(e);
> }
> } else {
> return SSLSocketFactory.getDefault();
> }
> }
> {code}
> This is consistent solution with other transports.
> I will prepare patches and tests for this scenerio.
> Greetings
> Piotr Klimczak
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic