Add support for hostname verification

2018-08-21 09:05:42 -04:00 · 2018-08-21 09:05:42 -04:00 · 69fad2a135
parent b488df694c
commit 69fad2a135
24 changed files with 157 additions and 46 deletions
--- a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
+++ b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java
@ -185,7 +185,7 @@ public class AmqpTestSupport {
        }
        if (isUseSslConnector()) {
            connector = brokerService.addConnector(
-                "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+                "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
            amqpSslPort = connector.getConnectUri().getPort();
            amqpSslURI = connector.getPublishableConnectURI();
            LOG.debug("Using amqp+ssl port " + amqpSslPort);
@ -199,7 +199,7 @@ public class AmqpTestSupport {
        }
        if (isUseNioPlusSslConnector()) {
            connector = brokerService.addConnector(
-                "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+                "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
            amqpNioPlusSslPort = connector.getConnectUri().getPort();
            amqpNioPlusSslURI = connector.getPublishableConnectURI();
            LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort);
--- a/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java
+++ b/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java
@ -79,7 +79,7 @@ public class JMSClientAutoSslAuthTest extends JMSClientTestSupport {
    @Override
    protected String getAdditionalConfig() {
-        return "?transport.needClientAuth=true";
+        return "?transport.needClientAuth=true&transport.verifyHostName=false";
    }
--- a/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java
@ -30,6 +30,7 @@ import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLParameters;
 import org.apache.activemq.thread.TaskRunnerFactory;
 import org.apache.activemq.util.IOExceptionSupport;
@ -89,6 +90,12 @@ public class AutoInitNioSSLTransport extends NIOSSLTransport {
                sslEngine = sslContext.createSSLEngine();
            }
            if (verifyHostName) {
                SSLParameters sslParams = new SSLParameters();
                sslParams.setEndpointIdentificationAlgorithm("HTTPS");
                sslEngine.setSSLParameters(sslParams);
            }
            sslEngine.setUseClientMode(false);
            if (enabledCipherSuites != null) {
                sslEngine.setEnabledCipherSuites(enabledCipherSuites);
--- a/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java
@ -36,6 +36,7 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
@ -56,6 +57,7 @@ public class NIOSSLTransport extends NIOTransport {
    protected boolean wantClientAuth;
    protected String[] enabledCipherSuites;
    protected String[] enabledProtocols;
    protected boolean verifyHostName = true;
    protected SSLContext sslContext;
    protected SSLEngine sslEngine;
@ -119,6 +121,12 @@ public class NIOSSLTransport extends NIOTransport {
                    sslEngine = sslContext.createSSLEngine();
                }
                if (verifyHostName) {
                    SSLParameters sslParams = new SSLParameters();
                    sslParams.setEndpointIdentificationAlgorithm("HTTPS");
                    sslEngine.setSSLParameters(sslParams);
                }
                sslEngine.setUseClientMode(false);
                if (enabledCipherSuites != null) {
                    sslEngine.setEnabledCipherSuites(enabledCipherSuites);
@ -543,4 +551,12 @@ public class NIOSSLTransport extends NIOTransport {
    public void setEnabledProtocols(String[] enabledProtocols) {
        this.enabledProtocols = enabledProtocols;
    }
    public boolean isVerifyHostName() {
        return verifyHostName;
    }
    public void setVerifyHostName(boolean verifyHostName) {
        this.verifyHostName = verifyHostName;
    }
 }
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java
@ -17,11 +17,14 @@
 package org.apache.activemq.transport.tcp;
 import java.io.IOException;
 import java.net.Socket;
 import java.net.SocketException;
 import java.net.URI;
 import java.net.UnknownHostException;
 import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
@ -43,6 +46,8 @@ import org.apache.activemq.wireformat.WireFormat;
 */
 public class SslTransport extends TcpTransport {
    private Boolean verifyHostName = null;
    /**
     * Connect to a remote node such as a Broker.
     *
@ -73,6 +78,37 @@ public class SslTransport extends TcpTransport {
        }
    }
    @Override
    protected void initialiseSocket(Socket sock) throws SocketException, IllegalArgumentException {
        //This needs to default to null because this transport class is used for both a server transport
        //and a client connection and if we default it to a value it might override the transport server setting
        //that was configured inside TcpTransportServer
        //The idea here is that if this is a server transport then verifyHostName will be set by the setter
        //below and not be null (if using transport.verifyHostName) but if a client uses socket.verifyHostName
        //then it will be null and we can check socketOptions
        //Unfortunately we have to do this to stay consistent because every other SSL option on the client
        //side is configured using socket. but this particular option isn't actually part of the socket
        //so it makes it tricky
        if (verifyHostName == null) {
            if (socketOptions != null && socketOptions.containsKey("verifyHostName")) {
                verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
                socketOptions.remove("verifyHostName");
            } else {
                verifyHostName = true;
            }
        }
        if (verifyHostName) {
            SSLParameters sslParams = new SSLParameters();
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
            ((SSLSocket)this.socket).setSSLParameters(sslParams);
        }
        super.initialiseSocket(sock);
    }
    /**
     * Initialize from a ServerSocket. No access to needClientAuth is given
     * since it is already set within the provided socket.
@ -108,6 +144,10 @@ public class SslTransport extends TcpTransport {
        super.doConsume(command);
    }
    public void setVerifyHostName(Boolean verifyHostName) {
        this.verifyHostName = verifyHostName;
    }
    /**
     * @return peer certificate chain associated with the ssl socket
     */
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
@ -100,6 +100,7 @@ public class SslTransportServer extends TcpTransportServer {
     *
     * @throws IOException passed up from TcpTransportServer.
     */
    @Override
    public void bind() throws IOException {
        super.bind();
        if (needClientAuth) {
@ -119,6 +120,7 @@ public class SslTransportServer extends TcpTransportServer {
     * @return The newly return (SSL) Transport.
     * @throws IOException
     */
    @Override
    protected Transport createTransport(Socket socket, WireFormat format) throws IOException {
        return new SslTransport(format, (SSLSocket)socket);
    }
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java
@ -133,7 +133,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S
    protected final AtomicReference<CountDownLatch> stoppedLatch = new AtomicReference<CountDownLatch>();
    protected volatile int receiveCounter;
-    private Map<String, Object> socketOptions;
+    protected Map<String, Object> socketOptions;
    private int soLinger = Integer.MIN_VALUE;
    private Boolean keepAlive;
    private Boolean tcpNoDelay;
@ -751,6 +751,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S
        return true;
    }
    @Override
    public WireFormat getWireFormat() {
        return wireFormat;
    }
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
@ -40,6 +40,7 @@ import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;
 import javax.net.ServerSocketFactory;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLServerSocket;
 import org.apache.activemq.Service;
@ -79,6 +80,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
    protected int minmumWireFormatVersion;
    protected boolean useQueueForAccept = true;
    protected boolean allowLinkStealing;
    protected boolean verifyHostName = true;
    /**
     * trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer
@ -172,6 +174,16 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
            //  see: https://issues.apache.org/jira/browse/AMQ-4582
            //
            if (socket instanceof SSLServerSocket) {
                if (transportOptions.containsKey("verifyHostName")) {
                    verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString());
                }
                if (verifyHostName) {
                    SSLParameters sslParams = new SSLParameters();
                    sslParams.setEndpointIdentificationAlgorithm("HTTPS");
                    ((SSLServerSocket)this.serverSocket).setSSLParameters(sslParams);
                }
                if (transportOptions.containsKey("enabledCipherSuites")) {
                    Object cipherSuites = transportOptions.remove("enabledCipherSuites");
@ -180,6 +192,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
                            "Invalid transport options {enabledCipherSuites=%s}", cipherSuites));
                    }
                }
            }
            //AMQ-6599 - don't strip out set properties on the socket as we need to set them
--- a/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java
+++ b/activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java
@ -55,7 +55,7 @@ public class MQTTAutoSslAuthTest extends MQTTTestSupport  {
     */
    public MQTTAutoSslAuthTest(String protocol) {
        this.protocol = protocol;
-        protocolConfig = "transport.needClientAuth=true";
+        protocolConfig = "transport.needClientAuth=true&transport.verifyHostName=false&";
    }
    @Override
--- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
+++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java
@ -54,13 +54,13 @@ public class StompSslAuthTest extends StompTest {
    @Override
    public void addOpenWireConnector() throws Exception {
-        TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?needClientAuth=true");
+        TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false");
-        cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString());
+        cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false");
    }
    @Override
    protected String getAdditionalConfig() {
-        return "?needClientAuth=true";
+        return "?needClientAuth=true&transport.verifyHostName=false";
    }
    // NOOP - These operations handled by jaas cert login module
--- a/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java
+++ b/activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java
@ -102,7 +102,7 @@ public class StompAutoSslAuthTest extends StompTestSupport {
    @Override
    protected String getAdditionalConfig() {
-        return "?transport.needClientAuth=true";
+        return "?transport.needClientAuth=true&transport.verifyHostName=false";
    }
    @Override
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java
@ -121,7 +121,7 @@ public class AMQ4126Test {
    public void openwireConnectTo(String connectorName, String username, String password) throws Exception {
        URI brokerURI = broker.getConnectorByName(connectorName).getConnectUri();
-        String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort();
+        String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort() + "?socket.verifyHostName=false";
        ActiveMQSslConnectionFactory cf = new ActiveMQSslConnectionFactory(uri);
        cf.setTrustStore("org/apache/activemq/security/broker1.ks");
        cf.setTrustStorePassword("password");
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java
@ -71,7 +71,7 @@ public class AMQ6599Test {
        brokerService.setPersistent(false);
        TransportConnector connector = brokerService.addConnector(protocol +
-                "://localhost:0?transport.soTimeout=3500");
+                "://localhost:0?transport.soTimeout=3500&transport.verifyHostName=false");
        connector.setName("connector");
        uri = connector.getPublishableConnectString();
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java
@ -47,14 +47,14 @@ public class NetworkReconnectSslNioTest {
        remote.setSslContext(sslContext);
        remote.setUseJmx(false);
        remote.setPersistent(false);
-        final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0");
+        final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0?transport.verifyHostName=false");
        remote.start();
        BrokerService local = new BrokerService();
        local.setSslContext(sslContext);
        local.setUseJmx(false);
        local.setPersistent(false);
-        final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + ")?useExponentialBackOff=false&initialReconnectDelay=10");
+        final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + "?socket.verifyHostName=false" + ")?useExponentialBackOff=false&initialReconnectDelay=10");
        local.start();
        assertTrue("Bridge created", Wait.waitFor(new Wait.Condition() {
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java
@ -75,7 +75,7 @@ public class AutoSslAuthTest {
        BrokerService brokerService = new BrokerService();
        brokerService.setPersistent(false);
-        TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true");
+        TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
        connector.setName("auto");
        uri = connector.getPublishableConnectString();
@ -126,7 +126,7 @@ public class AutoSslAuthTest {
    @Test(timeout = 60000)
    public void testConnect() throws Exception {
        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory();
-        factory.setBrokerURL(uri);
+        factory.setBrokerURL(uri + "?socket.verifyHostName=false");
        //Create 5 connections to make sure all are properly set
        for (int i = 0; i < 5; i++) {
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java
@ -103,8 +103,14 @@ public class AutoTransportConnectionsTest {
    }
    public void configureConnectorAndStart(String bindAddress) throws Exception {
        if (bindAddress.contains("ssl")) {
            bindAddress += bindAddress.contains("?") ? "&transport.verifyHostName=false" : "?transport.verifyHostName=false";
        }
        connector = service.addConnector(bindAddress);
        connectionUri = connector.getPublishableConnectString();
        if (connectionUri.contains("ssl")) {
            connectionUri += connectionUri.contains("?") ? "&socket.verifyHostName=false" : "?socket.verifyHostName=false";
        }
        service.start();
        service.waitUntilStarted();
    }
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLBasicTest.java
@ -17,14 +17,14 @@
 package org.apache.activemq.transport.nio;
 import javax.jms.Connection;
 import javax.jms.JMSException;
 import javax.jms.Message;
 import javax.jms.MessageConsumer;
 import javax.jms.MessageProducer;
 import javax.jms.Queue;
 import javax.jms.Session;
 import javax.jms.TextMessage;
-
+import javax.net.ssl.SSLHandshakeException;
 import junit.framework.TestCase;
 import org.apache.activemq.ActiveMQConnectionFactory;
 import org.apache.activemq.broker.BrokerService;
@ -33,6 +33,8 @@ import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import junit.framework.TestCase;
 public class NIOSSLBasicTest {
    public static final String KEYSTORE_TYPE = "jks";
@ -78,25 +80,40 @@ public class NIOSSLBasicTest {
    @Test
    public void basicConnector() throws Exception {
-        BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true");
+        BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
-        basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
+        basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
        stopBroker(broker);
    }
    @Test
    public void enabledCipherSuites() throws Exception {
-        BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
+        BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256&transport.verifyHostName=false");
-        basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
+        basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
        stopBroker(broker);
    }
    @Test
    public void enabledProtocols() throws Exception {
-        BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2");
+        BrokerService broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.verifyHostName=false");
-        basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
+        basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort() + "?socket.verifyHostName=false");
        stopBroker(broker);
    }
    //Client/server is missing verifyHostName=false so it should fail as cert doesn't have right host name
    @Test(expected = Exception.class)
    public void verifyHostNameError() throws Exception {
        BrokerService broker = null;
        try {
            broker = createBroker("nio+ssl", getTransportType() + "://localhost:61616?transport.needClientAuth=true");
            basicSendReceive("ssl://localhost:" + broker.getConnectorByName("nio+ssl").getConnectUri().getPort());
        } finally {
            if (broker != null) {
                stopBroker(broker);
            }
        }
    }
    public void basicSendReceive(String uri) throws Exception {
        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(uri);
        Connection connection = factory.createConnection();
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLLoadTest.java
@ -74,7 +74,7 @@ public class NIOSSLLoadTest {
        broker = new BrokerService();
        broker.setPersistent(false);
        broker.setUseJmx(false);
-        connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
+        connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false&transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256");
        broker.start();
        broker.waitUntilStarted();
@ -113,6 +113,7 @@ public class NIOSSLLoadTest {
        }
        Wait.waitFor(new Wait.Condition() {
            @Override
            public boolean isSatisified() throws Exception {
                return getReceived() == PRODUCER_COUNT * MESSAGE_COUNT;
            }
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/nio/NIOSSLWindowSizeTest.java
@ -59,7 +59,7 @@ public class NIOSSLWindowSizeTest extends TestCase {
        broker = new BrokerService();
        broker.setPersistent(false);
        broker.setUseJmx(false);
-        TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true");
+        TransportConnector connector = broker.addConnector("nio+ssl://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
        broker.start();
        broker.waitUntilStarted();
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/transport/tcp/SslTransportFactoryTest.java
@ -33,10 +33,12 @@ public class SslTransportFactoryTest extends TestCase {
    private SslTransportFactory factory;
    private boolean verbose;
    @Override
    protected void setUp() throws Exception {
        factory = new SslTransportFactory();
    }
    @Override
    protected void tearDown() throws Exception {
        super.tearDown();
    }
@ -96,6 +98,12 @@ public class SslTransportFactoryTest extends TestCase {
                // -1 since the option range is [-1,1], not [0,2].
                optionSettings[j] = getMthNaryDigit(i, j, 3) - 1;
                //We now always set options to a default we default verifyHostName to true
                //so we setSSLParameters so make the not set value = 0
                if (optionSettings[j] == -1) {
                    optionSettings[j] = 0;
                }
                if (optionSettings[j] != -1) {
                    options.put(optionNames[j], optionSettings[j] == 1 ? "true" : "false");
                }
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/InconsistentConnectorPropertiesBehaviour.xml
@ -36,12 +36,12 @@
    </sslContext>
    <transportConnectors>
-      <transportConnector name="stomp+ssl+special" uri="stomp+ssl://0.0.0.0:0?needClientAuth=true" />
+      <transportConnector name="stomp+ssl+special" uri="stomp+ssl://0.0.0.0:0?needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="stomp+nio+ssl+special" uri="stomp+nio+ssl://0.0.0.0:0?needClientAuth=true" />
+      <transportConnector name="stomp+nio+ssl+special" uri="stomp+nio+ssl://0.0.0.0:0?needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
    </transportConnectors>
  </broker>
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/bugs/amq4126/JaasStompSSLBroker.xml
@ -36,10 +36,10 @@
    </sslContext>
    <transportConnectors>
-      <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
-      <transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true" />
+      <transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:0?transport.needClientAuth=true&amp;transport.verifyHostName=false" />
    </transportConnectors>
  </broker>
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridge.xml
@ -171,7 +171,7 @@
    </systemUsage>
    <transportConnectors>
-        <transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true"/>
+        <transportConnector name="openwire+ssl-2" uri="ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true&amp;transport.verifyHostName=false"/>
    </transportConnectors>
  </broker>
 </beans>
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/JaasDualAuthenticationNetworkBridgeNioSsl.xml
@ -171,7 +171,7 @@
    </systemUsage>
    <transportConnectors>
-        <transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true"/>
+        <transportConnector name="openwire+nio-ssl-2" uri="nio+ssl://0.0.0.0:61626?transport.closeAsync=false&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.needClientAuth=true&amp;transport.verifyHostName=false"/>
    </transportConnectors>
  </broker>
 </beans>