diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java index 3b0234bd29..924f335bbd 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java @@ -73,6 +73,7 @@ import io.netty.util.concurrent.GenericFutureListener; import io.netty.util.concurrent.GlobalEventExecutor; import org.apache.activemq.artemis.api.config.ActiveMQDefaultConfiguration; import org.apache.activemq.artemis.api.core.ActiveMQException; +import org.apache.activemq.artemis.api.core.Pair; import org.apache.activemq.artemis.api.core.SimpleString; import org.apache.activemq.artemis.api.core.TransportConfiguration; import org.apache.activemq.artemis.api.core.management.CoreNotificationType; @@ -404,12 +405,24 @@ public class NettyAcceptor extends AbstractAcceptor { @Override public void initChannel(Channel channel) throws Exception { ChannelPipeline pipeline = channel.pipeline(); + Pair peerInfo = getPeerInfo(channel); if (sslEnabled) { - pipeline.addLast("ssl", getSslHandler(channel.alloc())); + pipeline.addLast("ssl", getSslHandler(channel.alloc(), peerInfo.getA(), peerInfo.getB())); pipeline.addLast("sslHandshakeExceptionHandler", new SslHandshakeExceptionHandler()); } pipeline.addLast(protocolHandler.getProtocolDecoder()); } + + private Pair getPeerInfo(Channel channel) { + try { + String[] peerInfo = channel.remoteAddress().toString().replace("/", "").split(":"); + return new Pair<>(peerInfo[0], Integer.parseInt(peerInfo[1])); + } catch (Exception e) { + logger.debug("Failed to parse peer info for SSL engine initialization", e); + } + + return new Pair<>(null, 0); + } }; bootstrap.childHandler(factory); @@ -498,12 +511,12 @@ public class NettyAcceptor extends AbstractAcceptor { startServerChannels(); } - public synchronized SslHandler getSslHandler(ByteBufAllocator alloc) throws Exception { + public synchronized SslHandler getSslHandler(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception { SSLEngine engine; if (sslProvider.equals(TransportConstants.OPENSSL_PROVIDER)) { - engine = loadOpenSslEngine(alloc); + engine = loadOpenSslEngine(alloc, peerHost, peerPort); } else { - engine = loadJdkSslEngine(); + engine = loadJdkSslEngine(peerHost, peerPort); } engine.setUseClientMode(false); @@ -572,7 +585,7 @@ public class NettyAcceptor extends AbstractAcceptor { return new SslHandler(engine); } - private SSLEngine loadJdkSslEngine() throws Exception { + private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception { final SSLContext context; try { if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider)) @@ -602,8 +615,8 @@ public class NettyAcceptor extends AbstractAcceptor { SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction() { @Override public SSLEngine run() { - if (verifyHost) { - return context.createSSLEngine(host, port); + if (peerHost != null && peerPort != 0) { + return context.createSSLEngine(peerHost, peerPort); } else { return context.createSSLEngine(); } @@ -612,7 +625,7 @@ public class NettyAcceptor extends AbstractAcceptor { return engine; } - private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc) throws Exception { + private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception { final SslContext context; try { if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider)) @@ -642,8 +655,8 @@ public class NettyAcceptor extends AbstractAcceptor { SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction() { @Override public SSLEngine run() { - if (verifyHost) { - return context.newEngine(alloc, host, port); + if (peerHost != null && peerPort != 0) { + return context.newEngine(alloc, peerHost, peerPort); } else { return context.newEngine(alloc); } diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java index f7fcca811e..78502ec639 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java @@ -74,34 +74,7 @@ public class CoreClientOverTwoWayOpenSSLServerTest extends ActiveMQTestBase { public static final SimpleString QUEUE = new SimpleString("QueueOverSSL"); /** - * These artifacts are required for testing 2-way SSL with open SSL - note the EC key and ECDSA signature to comply with what OpenSSL offers - * - * Commands to create the JKS artifacts: - * keytool -genkey -keystore openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA - * keytool -export -keystore openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample - * keytool -import -keystore openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt - * - * keytool -genkey -keystore openssl-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA - * keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample - * keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt - * - * keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA - * keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample - * keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt - * - * Commands to create the JCEKS artifacts: - * keytool -genkey -keystore openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA - * keytool -export -keystore openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample - * keytool -import -keystore openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt - * - * keytool -genkey -keystore openssl-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA - * keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample - * keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt - * - * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA - * keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample - * keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt - * + * See {@link CoreClientOverTwoWayOpenSSLTest} for details about the SSL artifacts needed for this test. */ private String storeType; diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java index e557dacfb4..cdb8d033f6 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java @@ -85,7 +85,7 @@ public class CoreClientOverTwoWayOpenSSLTest extends ActiveMQTestBase { * keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample * keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt * - * keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA + * keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1 * keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample * keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt * @@ -98,7 +98,7 @@ public class CoreClientOverTwoWayOpenSSLTest extends ActiveMQTestBase { * keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample * keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt * - * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA + * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1 * keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample * keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt * diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java index adf6951d58..b195f1457e 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java @@ -85,7 +85,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase { * keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample * keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt * - * keytool -genkey -keystore verified-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA + * keytool -genkey -keystore verified-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1 * keytool -export -keystore verified-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample * keytool -import -keystore verified-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt * @@ -94,7 +94,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase { * keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample * keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt * - * keytool -genkey -keystore verified-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA + * keytool -genkey -keystore verified-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1 * keytool -export -keystore verified-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample * keytool -import -keystore verified-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt * @@ -103,7 +103,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase { * keytool -export -keystore client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample * keytool -import -keystore server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt * - * keytool -genkey -keystore verified-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA + * keytool -genkey -keystore verified-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1 * keytool -export -keystore verified-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample * keytool -import -keystore verified-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt */ diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks index 250832ba8b..b8dad478ca 100644 Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks and b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks differ diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks index 88e7e4031d..e9980c3882 100644 Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks and b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks differ diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 index 3cee34acc5..2ece21e6bf 100644 Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 and b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 differ diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks index fc8c4cc4d1..d2f4128a0d 100644 Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks and b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks differ diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks index d60a9e7bab..5c25213b6d 100644 Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks and b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks differ diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks index c91e3f2e5a..d1b2122d98 100644 Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks and b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks differ diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks index 22fda4bb41..6be63f5685 100644 Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks and b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks differ diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks index e2bd4b3be0..54fbaa7e3a 100644 Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks and b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks differ diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks index 8d2288a07f..ec96e7bbb5 100644 Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks and b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks differ diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 index 619adb2ba4..5da56154f8 100644 Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 and b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 differ