mirror of https://github.com/apache/activemq.git
AMQ-7047 - Switch default for hostname verification to be false for
server For the client it makes sense to have it true by default but for the server it makes sense to have it false by default
This commit is contained in:
parent
69fad2a135
commit
1e31df9800
|
@ -185,7 +185,7 @@ public class AmqpTestSupport {
|
||||||
}
|
}
|
||||||
if (isUseSslConnector()) {
|
if (isUseSslConnector()) {
|
||||||
connector = brokerService.addConnector(
|
connector = brokerService.addConnector(
|
||||||
"amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
|
"amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
|
||||||
amqpSslPort = connector.getConnectUri().getPort();
|
amqpSslPort = connector.getConnectUri().getPort();
|
||||||
amqpSslURI = connector.getPublishableConnectURI();
|
amqpSslURI = connector.getPublishableConnectURI();
|
||||||
LOG.debug("Using amqp+ssl port " + amqpSslPort);
|
LOG.debug("Using amqp+ssl port " + amqpSslPort);
|
||||||
|
@ -199,7 +199,7 @@ public class AmqpTestSupport {
|
||||||
}
|
}
|
||||||
if (isUseNioPlusSslConnector()) {
|
if (isUseNioPlusSslConnector()) {
|
||||||
connector = brokerService.addConnector(
|
connector = brokerService.addConnector(
|
||||||
"amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
|
"amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
|
||||||
amqpNioPlusSslPort = connector.getConnectUri().getPort();
|
amqpNioPlusSslPort = connector.getConnectUri().getPort();
|
||||||
amqpNioPlusSslURI = connector.getPublishableConnectURI();
|
amqpNioPlusSslURI = connector.getPublishableConnectURI();
|
||||||
LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort);
|
LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort);
|
||||||
|
|
|
@ -79,7 +79,7 @@ public class JMSClientAutoSslAuthTest extends JMSClientTestSupport {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected String getAdditionalConfig() {
|
protected String getAdditionalConfig() {
|
||||||
return "?transport.needClientAuth=true&transport.verifyHostName=false";
|
return "?transport.needClientAuth=true";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -57,7 +57,7 @@ public class NIOSSLTransport extends NIOTransport {
|
||||||
protected boolean wantClientAuth;
|
protected boolean wantClientAuth;
|
||||||
protected String[] enabledCipherSuites;
|
protected String[] enabledCipherSuites;
|
||||||
protected String[] enabledProtocols;
|
protected String[] enabledProtocols;
|
||||||
protected boolean verifyHostName = true;
|
protected boolean verifyHostName = false;
|
||||||
|
|
||||||
protected SSLContext sslContext;
|
protected SSLContext sslContext;
|
||||||
protected SSLEngine sslEngine;
|
protected SSLEngine sslEngine;
|
||||||
|
|
|
@ -96,6 +96,7 @@ public class SslTransport extends TcpTransport {
|
||||||
verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
|
verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
|
||||||
socketOptions.remove("verifyHostName");
|
socketOptions.remove("verifyHostName");
|
||||||
} else {
|
} else {
|
||||||
|
//If null and not set then this is a client so default to true
|
||||||
verifyHostName = true;
|
verifyHostName = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -80,7 +80,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
|
||||||
protected int minmumWireFormatVersion;
|
protected int minmumWireFormatVersion;
|
||||||
protected boolean useQueueForAccept = true;
|
protected boolean useQueueForAccept = true;
|
||||||
protected boolean allowLinkStealing;
|
protected boolean allowLinkStealing;
|
||||||
protected boolean verifyHostName = true;
|
protected boolean verifyHostName = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer
|
* trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer
|
||||||
|
@ -176,6 +176,8 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
|
||||||
if (socket instanceof SSLServerSocket) {
|
if (socket instanceof SSLServerSocket) {
|
||||||
if (transportOptions.containsKey("verifyHostName")) {
|
if (transportOptions.containsKey("verifyHostName")) {
|
||||||
verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString());
|
verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString());
|
||||||
|
} else {
|
||||||
|
transportOptions.put("verifyHostName", verifyHostName);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (verifyHostName) {
|
if (verifyHostName) {
|
||||||
|
|
|
@ -55,7 +55,7 @@ public class MQTTAutoSslAuthTest extends MQTTTestSupport {
|
||||||
*/
|
*/
|
||||||
public MQTTAutoSslAuthTest(String protocol) {
|
public MQTTAutoSslAuthTest(String protocol) {
|
||||||
this.protocol = protocol;
|
this.protocol = protocol;
|
||||||
protocolConfig = "transport.needClientAuth=true&transport.verifyHostName=false&";
|
protocolConfig = "transport.needClientAuth=true";
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -54,7 +54,7 @@ public class StompSslAuthTest extends StompTest {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void addOpenWireConnector() throws Exception {
|
public void addOpenWireConnector() throws Exception {
|
||||||
TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false");
|
TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true");
|
||||||
cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false");
|
cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -71,7 +71,7 @@ public class AMQ6599Test {
|
||||||
brokerService.setPersistent(false);
|
brokerService.setPersistent(false);
|
||||||
|
|
||||||
TransportConnector connector = brokerService.addConnector(protocol +
|
TransportConnector connector = brokerService.addConnector(protocol +
|
||||||
"://localhost:0?transport.soTimeout=3500&transport.verifyHostName=false");
|
"://localhost:0?transport.soTimeout=3500");
|
||||||
connector.setName("connector");
|
connector.setName("connector");
|
||||||
uri = connector.getPublishableConnectString();
|
uri = connector.getPublishableConnectString();
|
||||||
|
|
||||||
|
|
|
@ -47,7 +47,7 @@ public class NetworkReconnectSslNioTest {
|
||||||
remote.setSslContext(sslContext);
|
remote.setSslContext(sslContext);
|
||||||
remote.setUseJmx(false);
|
remote.setUseJmx(false);
|
||||||
remote.setPersistent(false);
|
remote.setPersistent(false);
|
||||||
final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0?transport.verifyHostName=false");
|
final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0");
|
||||||
remote.start();
|
remote.start();
|
||||||
|
|
||||||
BrokerService local = new BrokerService();
|
BrokerService local = new BrokerService();
|
||||||
|
|
|
@ -75,7 +75,7 @@ public class AutoSslAuthTest {
|
||||||
BrokerService brokerService = new BrokerService();
|
BrokerService brokerService = new BrokerService();
|
||||||
brokerService.setPersistent(false);
|
brokerService.setPersistent(false);
|
||||||
|
|
||||||
TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
|
TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true");
|
||||||
connector.setName("auto");
|
connector.setName("auto");
|
||||||
uri = connector.getPublishableConnectString();
|
uri = connector.getPublishableConnectString();
|
||||||
|
|
||||||
|
@ -126,7 +126,7 @@ public class AutoSslAuthTest {
|
||||||
@Test(timeout = 60000)
|
@Test(timeout = 60000)
|
||||||
public void testConnect() throws Exception {
|
public void testConnect() throws Exception {
|
||||||
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory();
|
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory();
|
||||||
factory.setBrokerURL(uri + "?socket.verifyHostName=false");
|
factory.setBrokerURL(uri);
|
||||||
|
|
||||||
//Create 5 connections to make sure all are properly set
|
//Create 5 connections to make sure all are properly set
|
||||||
for (int i = 0; i < 5; i++) {
|
for (int i = 0; i < 5; i++) {
|
||||||
|
|
|
@ -103,9 +103,6 @@ public class AutoTransportConnectionsTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void configureConnectorAndStart(String bindAddress) throws Exception {
|
public void configureConnectorAndStart(String bindAddress) throws Exception {
|
||||||
if (bindAddress.contains("ssl")) {
|
|
||||||
bindAddress += bindAddress.contains("?") ? "&transport.verifyHostName=false" : "?transport.verifyHostName=false";
|
|
||||||
}
|
|
||||||
connector = service.addConnector(bindAddress);
|
connector = service.addConnector(bindAddress);
|
||||||
connectionUri = connector.getPublishableConnectString();
|
connectionUri = connector.getPublishableConnectString();
|
||||||
if (connectionUri.contains("ssl")) {
|
if (connectionUri.contains("ssl")) {
|
||||||
|
|
|
@ -80,28 +80,28 @@ public class NIOSSLBasicTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void basicConnector() throws Exception {
|
public void basicConnector() throws Exception {
|
||||||
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
|
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true");
|
||||||
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
|
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
|
||||||
stopBroker(broker);
|
stopBroker(broker);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void enabledCipherSuites() throws Exception {
|
public void enabledCipherSuites() throws Exception {
|
||||||
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256&transport.verifyHostName=false");
|
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
|
||||||
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
|
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
|
||||||
stopBroker(broker);
|
stopBroker(broker);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void enabledProtocols() throws Exception {
|
public void enabledProtocols() throws Exception {
|
||||||
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.verifyHostName=false");
|
BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2");
|
||||||
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
|
basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
|
||||||
stopBroker(broker);
|
stopBroker(broker);
|
||||||
}
|
}
|
||||||
|
|
||||||
//Client/server is missing verifyHostName=false so it should fail as cert doesn't have right host name
|
//Client is missing verifyHostName=false so it should fail as cert doesn't have right host name
|
||||||
@Test(expected = Exception.class)
|
@Test(expected = Exception.class)
|
||||||
public void verifyHostNameError() throws Exception {
|
public void verifyHostNameErrorClient() throws Exception {
|
||||||
BrokerService broker = null;
|
BrokerService broker = null;
|
||||||
try {
|
try {
|
||||||
broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true");
|
broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true");
|
||||||
|
@ -113,7 +113,6 @@ public class NIOSSLBasicTest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public void basicSendReceive(String uri) throws Exception {
|
public void basicSendReceive(String uri) throws Exception {
|
||||||
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri);
|
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri);
|
||||||
Connection connection = factory.createConnection();
|
Connection connection = factory.createConnection();
|
||||||
|
|
|
@ -74,7 +74,7 @@ public class NIOSSLLoadTest {
|
||||||
broker = new BrokerService();
|
broker = new BrokerService();
|
||||||
broker.setPersistent(false);
|
broker.setPersistent(false);
|
||||||
broker.setUseJmx(false);
|
broker.setUseJmx(false);
|
||||||
connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
|
connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
|
||||||
broker.start();
|
broker.start();
|
||||||
broker.waitUntilStarted();
|
broker.waitUntilStarted();
|
||||||
|
|
||||||
|
|
|
@ -59,7 +59,7 @@ public class NIOSSLWindowSizeTest extends TestCase {
|
||||||
broker = new BrokerService();
|
broker = new BrokerService();
|
||||||
broker.setPersistent(false);
|
broker.setPersistent(false);
|
||||||
broker.setUseJmx(false);
|
broker.setUseJmx(false);
|
||||||
TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
|
TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true");
|
||||||
broker.start();
|
broker.start();
|
||||||
broker.waitUntilStarted();
|
broker.waitUntilStarted();
|
||||||
|
|
||||||
|
|
|
@ -36,10 +36,10 @@
|
||||||
</sslContext>
|
</sslContext>
|
||||||
|
|
||||||
<transportConnectors>
|
<transportConnectors>
|
||||||
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
|
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" />
|
||||||
<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
|
<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
|
||||||
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
|
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true" />
|
||||||
<transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false" />
|
<transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
|
||||||
</transportConnectors>
|
</transportConnectors>
|
||||||
|
|
||||||
</broker>
|
</broker>
|
||||||
|
|
|
@ -171,7 +171,7 @@
|
||||||
</systemUsage>
|
</systemUsage>
|
||||||
|
|
||||||
<transportConnectors>
|
<transportConnectors>
|
||||||
<transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true&transport.verifyHostName=false"/>
|
<transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true"/>
|
||||||
</transportConnectors>
|
</transportConnectors>
|
||||||
</broker>
|
</broker>
|
||||||
</beans>
|
</beans>
|
||||||
|
|
|
@ -171,7 +171,7 @@
|
||||||
</systemUsage>
|
</systemUsage>
|
||||||
|
|
||||||
<transportConnectors>
|
<transportConnectors>
|
||||||
<transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true&transport.verifyHostName=false"/>
|
<transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.needClientAuth=true"/>
|
||||||
</transportConnectors>
|
</transportConnectors>
|
||||||
</broker>
|
</broker>
|
||||||
</beans>
|
</beans>
|
||||||
|
|
Loading…
Reference in New Issue