This closes #3081
This commit is contained in:
Clebert Suconic
commit
93b68eb0f6
|
|
@ -73,6 +73,7 @@ import io.netty.util.concurrent.GenericFutureListener;
|
|||
import io.netty.util.concurrent.GlobalEventExecutor;
|
||||
import org.apache.activemq.artemis.api.config.ActiveMQDefaultConfiguration;
|
||||
import org.apache.activemq.artemis.api.core.ActiveMQException;
|
||||
import org.apache.activemq.artemis.api.core.Pair;
|
||||
import org.apache.activemq.artemis.api.core.SimpleString;
|
||||
import org.apache.activemq.artemis.api.core.TransportConfiguration;
|
||||
import org.apache.activemq.artemis.api.core.management.CoreNotificationType;
|
||||
|
|
@ -404,12 +405,24 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
@Override
|
||||
public void initChannel(Channel channel) throws Exception {
|
||||
ChannelPipeline pipeline = channel.pipeline();
|
||||
Pair<String, Integer> peerInfo = getPeerInfo(channel);
|
||||
if (sslEnabled) {
|
||||
pipeline.addLast("ssl", getSslHandler(channel.alloc()));
|
||||
pipeline.addLast("ssl", getSslHandler(channel.alloc(), peerInfo.getA(), peerInfo.getB()));
|
||||
pipeline.addLast("sslHandshakeExceptionHandler", new SslHandshakeExceptionHandler());
|
||||
}
|
||||
pipeline.addLast(protocolHandler.getProtocolDecoder());
|
||||
}
|
||||
|
||||
private Pair<String, Integer> getPeerInfo(Channel channel) {
|
||||
try {
|
||||
String[] peerInfo = channel.remoteAddress().toString().replace("/", "").split(":");
|
||||
return new Pair<>(peerInfo[0], Integer.parseInt(peerInfo[1]));
|
||||
} catch (Exception e) {
|
||||
logger.debug("Failed to parse peer info for SSL engine initialization", e);
|
||||
}
|
||||
|
||||
return new Pair<>(null, 0);
|
||||
}
|
||||
};
|
||||
bootstrap.childHandler(factory);
|
||||
|
||||
|
|
@ -498,12 +511,12 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
startServerChannels();
|
||||
}
|
||||
|
||||
public synchronized SslHandler getSslHandler(ByteBufAllocator alloc) throws Exception {
|
||||
public synchronized SslHandler getSslHandler(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
|
||||
SSLEngine engine;
|
||||
if (sslProvider.equals(TransportConstants.OPENSSL_PROVIDER)) {
|
||||
engine = loadOpenSslEngine(alloc);
|
||||
engine = loadOpenSslEngine(alloc, peerHost, peerPort);
|
||||
} else {
|
||||
engine = loadJdkSslEngine();
|
||||
engine = loadJdkSslEngine(peerHost, peerPort);
|
||||
}
|
||||
|
||||
engine.setUseClientMode(false);
|
||||
|
|
@ -572,7 +585,7 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
return new SslHandler(engine);
|
||||
}
|
||||
|
||||
private SSLEngine loadJdkSslEngine() throws Exception {
|
||||
private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws Exception {
|
||||
final SSLContext context;
|
||||
try {
|
||||
if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider))
|
||||
|
|
@ -602,8 +615,8 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
||||
@Override
|
||||
public SSLEngine run() {
|
||||
if (verifyHost) {
|
||||
return context.createSSLEngine(host, port);
|
||||
if (peerHost != null && peerPort != 0) {
|
||||
return context.createSSLEngine(peerHost, peerPort);
|
||||
} else {
|
||||
return context.createSSLEngine();
|
||||
}
|
||||
|
|
@ -612,7 +625,7 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
return engine;
|
||||
}
|
||||
|
||||
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc) throws Exception {
|
||||
private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String peerHost, int peerPort) throws Exception {
|
||||
final SslContext context;
|
||||
try {
|
||||
if (kerb5Config == null && keyStorePath == null && TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider))
|
||||
|
|
@ -642,8 +655,8 @@ public class NettyAcceptor extends AbstractAcceptor {
|
|||
SSLEngine engine = Subject.doAs(subject, new PrivilegedExceptionAction<SSLEngine>() {
|
||||
@Override
|
||||
public SSLEngine run() {
|
||||
if (verifyHost) {
|
||||
return context.newEngine(alloc, host, port);
|
||||
if (peerHost != null && peerPort != 0) {
|
||||
return context.newEngine(alloc, peerHost, peerPort);
|
||||
} else {
|
||||
return context.newEngine(alloc);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -74,34 +74,7 @@ public class CoreClientOverTwoWayOpenSSLServerTest extends ActiveMQTestBase {
|
|||
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
|
||||
|
||||
/**
|
||||
* These artifacts are required for testing 2-way SSL with open SSL - note the EC key and ECDSA signature to comply with what OpenSSL offers
|
||||
*
|
||||
* Commands to create the JKS artifacts:
|
||||
* keytool -genkey -keystore openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -export -keystore openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||
* keytool -import -keystore openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore openssl-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||
* keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||
* keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* Commands to create the JCEKS artifacts:
|
||||
* keytool -genkey -keystore openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -export -keystore openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||
* keytool -import -keystore openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore openssl-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||
* keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||
* keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* See {@link CoreClientOverTwoWayOpenSSLTest} for details about the SSL artifacts needed for this test.
|
||||
*/
|
||||
|
||||
private String storeType;
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ public class CoreClientOverTwoWayOpenSSLTest extends ActiveMQTestBase {
|
|||
* keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||
* keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
|
||||
* keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||
* keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
|
|
@ -98,7 +98,7 @@ public class CoreClientOverTwoWayOpenSSLTest extends ActiveMQTestBase {
|
|||
* keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||
* keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
|
||||
* keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
|
||||
* keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||
* keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
|
|||
* keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||
* keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore verified-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
||||
* keytool -genkey -keystore verified-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
|
||||
* keytool -export -keystore verified-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
|
||||
* keytool -import -keystore verified-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
|
|
@ -94,7 +94,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
|
|||
* keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||
* keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore verified-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
||||
* keytool -genkey -keystore verified-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
|
||||
* keytool -export -keystore verified-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
|
||||
* keytool -import -keystore verified-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
|
|
@ -103,7 +103,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
|
|||
* keytool -export -keystore client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
|
||||
* keytool -import -keystore server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*
|
||||
* keytool -genkey -keystore verified-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
||||
* keytool -genkey -keystore verified-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
|
||||
* keytool -export -keystore verified-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
|
||||
* keytool -import -keystore verified-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
|
||||
*/
|
||||
|
|
|
|||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue