AMQ-7047 - Switch default for hostname verification to be false for

server

For the client it makes sense to have it true by default but for the
server it makes sense to have it false by default
This commit is contained in:
Christopher L. Shannon (cshannon) 2018-08-31 13:04:14 -04:00
parent 69fad2a135
commit 1e31df9800
17 changed files with 36 additions and 37 deletions

View File

@ -185,7 +185,7 @@ public class AmqpTestSupport {
}
if (isUseSslConnector()) {
connector = brokerService.addConnector(
"amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
"amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
amqpSslPort = connector.getConnectUri().getPort();
amqpSslURI = connector.getPublishableConnectURI();
LOG.debug("Using amqp+ssl port " + amqpSslPort);
@ -199,7 +199,7 @@ public class AmqpTestSupport {
}
if (isUseNioPlusSslConnector()) {
connector = brokerService.addConnector(
"amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
"amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
amqpNioPlusSslPort = connector.getConnectUri().getPort();
amqpNioPlusSslURI = connector.getPublishableConnectURI();
LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort);

View File

@ -79,7 +79,7 @@ public class JMSClientAutoSslAuthTest extends JMSClientTestSupport {
@Override
protected String getAdditionalConfig() {
return "?transport.needClientAuth=true&transport.verifyHostName=false";
return "?transport.needClientAuth=true";
}

View File

@ -57,7 +57,7 @@ public class NIOSSLTransport extends NIOTransport {
protected boolean wantClientAuth;
protected String[] enabledCipherSuites;
protected String[] enabledProtocols;
protected boolean verifyHostName = true;
protected boolean verifyHostName = false;
protected SSLContext sslContext;
protected SSLEngine sslEngine;

View File

@ -96,6 +96,7 @@ public class SslTransport extends TcpTransport {
verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
socketOptions.remove("verifyHostName");
} else {
//If null and not set then this is a client so default to true
verifyHostName = true;
}
}

View File

@ -80,7 +80,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
protected int minmumWireFormatVersion;
protected boolean useQueueForAccept = true;
protected boolean allowLinkStealing;
protected boolean verifyHostName = true;
protected boolean verifyHostName = false;
/**
* trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer
@ -176,6 +176,8 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
if (socket instanceof SSLServerSocket) {
if (transportOptions.containsKey("verifyHostName")) {
verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString());
} else {
transportOptions.put("verifyHostName", verifyHostName);
}
if (verifyHostName) {

View File

@ -55,7 +55,7 @@ public class MQTTAutoSslAuthTest extends MQTTTestSupport {
*/
public MQTTAutoSslAuthTest(String protocol) {
this.protocol = protocol;
protocolConfig = "transport.needClientAuth=true&transport.verifyHostName=false&";
protocolConfig = "transport.needClientAuth=true";
}
@Override

View File

@ -54,7 +54,7 @@ public class StompSslAuthTest extends StompTest {
@Override
public void addOpenWireConnector() throws Exception {
TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false");
TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true");
cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false");
}

View File

@ -71,7 +71,7 @@ public class AMQ6599Test {
brokerService.setPersistent(false);
TransportConnector connector = brokerService.addConnector(protocol +
"://localhost:0?transport.soTimeout=3500&transport.verifyHostName=false");
"://localhost:0?transport.soTimeout=3500");
connector.setName("connector");
uri = connector.getPublishableConnectString();

View File

@ -47,7 +47,7 @@ public class NetworkReconnectSslNioTest {
remote.setSslContext(sslContext);
remote.setUseJmx(false);
remote.setPersistent(false);
final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0?transport.verifyHostName=false");
final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0");
remote.start();
BrokerService local = new BrokerService();

View File

@ -75,7 +75,7 @@ public class AutoSslAuthTest {
BrokerService brokerService = new BrokerService();
brokerService.setPersistent(false);
TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true");
connector.setName("auto");
uri = connector.getPublishableConnectString();
@ -126,7 +126,7 @@ public class AutoSslAuthTest {
@Test(timeout = 60000)
public void testConnect() throws Exception {
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory();
factory.setBrokerURL(uri + "?socket.verifyHostName=false");
factory.setBrokerURL(uri);
//Create 5 connections to make sure all are properly set
for (int i = 0; i < 5; i++) {

View File

@ -103,9 +103,6 @@ public class AutoTransportConnectionsTest {
}
public void configureConnectorAndStart(String bindAddress) throws Exception {
if (bindAddress.contains("ssl")) {
bindAddress += bindAddress.contains("?") ? "&transport.verifyHostName=false" : "?transport.verifyHostName=false";
}
connector = service.addConnector(bindAddress);
connectionUri = connector.getPublishableConnectString();
if (connectionUri.contains("ssl")) {

View File

@ -80,28 +80,28 @@ public class NIOSSLBasicTest {
@Test
public void basicConnector() throws Exception {
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true");
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
stopBroker(broker);
}
@Test
public void enabledCipherSuites() throws Exception {
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256&transport.verifyHostName=false");
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
stopBroker(broker);
}
@Test
public void enabledProtocols() throws Exception {
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.verifyHostName=false");
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2");
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
stopBroker(broker);
}
//Client/server is missing verifyHostName=false so it should fail as cert doesn't have right host name
//Client is missing verifyHostName=false so it should fail as cert doesn't have right host name
@Test(expected = Exception.class)
public void verifyHostNameError() throws Exception {
public void verifyHostNameErrorClient() throws Exception {
BrokerService broker = null;
try {
broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true");
@ -113,7 +113,6 @@ public class NIOSSLBasicTest {
}
}
public void basicSendReceive(String uri) throws Exception {
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri);
Connection connection = factory.createConnection();

View File

@ -74,7 +74,7 @@ public class NIOSSLLoadTest {
broker = new BrokerService();
broker.setPersistent(false);
broker.setUseJmx(false);
connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
broker.start();
broker.waitUntilStarted();

View File

@ -30,11 +30,11 @@ import javax.jms.Session;
@SuppressWarnings("javadoc")
public class NIOSSLWindowSizeTest extends TestCase {
BrokerService broker;
Connection connection;
Session session;
public static final String KEYSTORE_TYPE = "jks";
public static final String PASSWORD = "password";
public static final String SERVER_KEYSTORE = "src/test/resources/server.keystore";
@ -46,7 +46,7 @@ public class NIOSSLWindowSizeTest extends TestCase {
public static final int MESSAGE_SIZE = 65536;
byte[] messageData;
@Override
protected void setUp() throws Exception {
System.setProperty("javax.net.ssl.trustStore", TRUST_KEYSTORE);
@ -59,19 +59,19 @@ public class NIOSSLWindowSizeTest extends TestCase {
broker = new BrokerService();
broker.setPersistent(false);
broker.setUseJmx(false);
TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true");
broker.start();
broker.waitUntilStarted();
messageData = new byte[MESSAGE_SIZE];
for (int i = 0; i < MESSAGE_SIZE; i++)
{
messageData[i] = (byte) (i & 0xff);
}
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("nio+ssl://localhost:" + connector.getConnectUri().getPort());
connection = factory.createConnection();
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
connection.start();
}
@ -100,14 +100,14 @@ public class NIOSSLWindowSizeTest extends TestCase {
prod.send(msg);
} finally {
prod.close();
}
}
MessageConsumer cons = null;
try
try
{
cons = session.createConsumer(dest);
assertNotNull(cons.receive(30000L));
} finally {
cons.close();
}
}
}
}

View File

@ -36,10 +36,10 @@
</sslContext>
<transportConnectors>
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
<transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" />
<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true" />
<transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
</transportConnectors>
</broker>

View File

@ -171,7 +171,7 @@
</systemUsage>
<transportConnectors>
<transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true&amp;transport.verifyHostName=false"/>
<transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true"/>
</transportConnectors>
</broker>
</beans>

View File

@ -171,7 +171,7 @@
</systemUsage>
<transportConnectors>
<transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true&amp;transport.verifyHostName=false"/>
<transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true"/>
</transportConnectors>
</broker>
</beans>