SOLR-5868: HttpClient should be configured to use ALLOW_ALL_HOSTNAME hostname verifier to simplify SSL setup.

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1588312 13f79535-47bb-0310-9956-ffa450edef68
2014-04-17 17:28:01 +00:00 · 2014-04-17 17:28:01 +00:00 · 050342b8a4
parent 9edd501d00
commit 050342b8a4
5 changed files with 93 additions and 6 deletions
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@ -80,6 +80,9 @@ Other Changes

 * SOLR-5474: Have a new mode for SolrJ to support stateFormat=2 (Noble Paul, Tim Potter)

+* SOLR-5868: HttpClient should be configured to use ALLOW_ALL_HOSTNAME hostname
+  verifier to simplify SSL setup. (Steve Davids via Mark Miller)
+
 ==================  4.9.0 ==================

 Versions of Major Components
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientConfigurer.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientConfigurer.java
@ -17,6 +17,8 @@ package org.apache.solr.client.solrj.impl;
 * limitations under the License.
 */

+
+import org.apache.http.conn.ssl.SSLSocketFactory;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.solr.common.params.SolrParams;

@ -69,5 +71,28 @@ public class HttpClientConfigurer {
      HttpClientUtil.setAllowCompression(httpClient,
          config.getBool(HttpClientUtil.PROP_ALLOW_COMPRESSION));
    }
+    
+    boolean sslCheckPeerName = toBooleanDefaultIfNull(
+        toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true);
+    if(sslCheckPeerName == false) {
+      HttpClientUtil.setHostNameVerifier(httpClient, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+    }
+  }
+  
+  public static boolean toBooleanDefaultIfNull(Boolean bool, boolean valueIfNull) {
+    if (bool == null) {
+      return valueIfNull;
+    }
+    return bool.booleanValue() ? true : false;
+  }
+  
+  public static Boolean toBooleanObject(String str) {
+    if ("true".equalsIgnoreCase(str)) {
+      return Boolean.TRUE;
+    } else if ("false".equalsIgnoreCase(str)) {
+      return Boolean.FALSE;
+    }
+    // no match
+    return null;
  }
 }
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java
@ -34,6 +34,9 @@ import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.params.ClientParamBean;
 import org.apache.http.conn.ClientConnectionManager;
+import org.apache.http.conn.scheme.Scheme;
+import org.apache.http.conn.ssl.SSLSocketFactory;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
 import org.apache.http.entity.HttpEntityWrapper;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
@ -75,6 +78,8 @@ public class HttpClientUtil {
  // Basic auth password 
  public static final String PROP_BASIC_AUTH_PASS = "httpBasicAuthPassword";
  
+  public static final String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.checkPeerName";
+  
  private static final Logger logger = LoggerFactory
      .getLogger(HttpClientUtil.class);
  
@ -255,6 +260,15 @@ public class HttpClientUtil {
    new ClientParamBean(httpClient.getParams()).setHandleRedirects(followRedirects);
  }

+  public static void setHostNameVerifier(DefaultHttpClient httpClient,
+      X509HostnameVerifier hostNameVerifier) {
+    Scheme httpsScheme = httpClient.getConnectionManager().getSchemeRegistry().get("https");
+    if (httpsScheme != null) {
+      SSLSocketFactory sslSocketFactory = (SSLSocketFactory) httpsScheme.getSchemeSocketFactory();
+      sslSocketFactory.setHostnameVerifier(hostNameVerifier);
+    }
+  }
+  
  private static class UseCompressionRequestInterceptor implements
      HttpRequestInterceptor {
    
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
@ -17,17 +17,23 @@
 package org.apache.solr.client.solrj.impl;

 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;

 import java.util.concurrent.atomic.AtomicInteger;

 import org.apache.http.auth.AuthScope;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.params.ClientPNames;
-import org.apache.http.impl.conn.PoolingClientConnectionManager;
+import org.apache.http.conn.ssl.AllowAllHostnameVerifier;
+import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
+import org.apache.http.conn.ssl.SSLSocketFactory;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
 import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.impl.conn.PoolingClientConnectionManager;
 import org.apache.http.params.HttpConnectionParams;
 import org.apache.solr.common.params.ModifiableSolrParams;
 import org.apache.solr.common.params.SolrParams;
+import org.apache.solr.util.SSLTestConfig;
 import org.junit.Test;

 public class HttpClientUtilTest {
@ -90,4 +96,35 @@ public class HttpClientUtilTest {

  }
  
+  @Test
+  @SuppressWarnings("deprecation")
+  public void testSSLSystemProperties() {
+    try {
+      SSLTestConfig.setSSLSystemProperties();
+      assertNotNull("HTTPS scheme could not be created using the javax.net.ssl.* system properties.", 
+          HttpClientUtil.createClient(null).getConnectionManager().getSchemeRegistry().get("https"));
+      
+      System.clearProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
+      assertEquals(BrowserCompatHostnameVerifier.class, getHostnameVerifier(HttpClientUtil.createClient(null)).getClass());
+      
+      System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "true");
+      assertEquals(BrowserCompatHostnameVerifier.class, getHostnameVerifier(HttpClientUtil.createClient(null)).getClass());
+      
+      System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "");
+      assertEquals(BrowserCompatHostnameVerifier.class, getHostnameVerifier(HttpClientUtil.createClient(null)).getClass());
+      
+      System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "false");
+      assertEquals(AllowAllHostnameVerifier.class, getHostnameVerifier(HttpClientUtil.createClient(null)).getClass());
+    } finally {
+      SSLTestConfig.clearSSLSystemProperties();
+      System.clearProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
+    }
+  }
+  
+  @SuppressWarnings("deprecation")
+  private X509HostnameVerifier getHostnameVerifier(HttpClient client) {
+    return ((SSLSocketFactory) client.getConnectionManager().getSchemeRegistry()
+        .get("https").getSchemeSocketFactory()).getHostnameVerifier();
+  }
+  
 }
--- a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
+++ b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
@ -104,10 +104,18 @@ public class SSLTestConfig extends SSLConfig {
    }
  }
  
-  public static void cleanStatics() {
-    DEFAULT_CONFIGURER = null;
-    TEST_KEYSTORE = null;
-    TEST_KEYSTORE_PASSWORD = null;
-    TEST_KEYSTORE_PATH = null;
+  public static void setSSLSystemProperties() {
+    System.setProperty("javax.net.ssl.keyStore", TEST_KEYSTORE_PATH);
+    System.setProperty("javax.net.ssl.keyStorePassword", TEST_KEYSTORE_PASSWORD);
+    System.setProperty("javax.net.ssl.trustStore", TEST_KEYSTORE_PATH);
+    System.setProperty("javax.net.ssl.trustStorePassword", TEST_KEYSTORE_PASSWORD);
  }
+  
+  public static void clearSSLSystemProperties() {
+    System.clearProperty("javax.net.ssl.keyStore");
+    System.clearProperty("javax.net.ssl.keyStorePassword");
+    System.clearProperty("javax.net.ssl.trustStore");
+    System.clearProperty("javax.net.ssl.trustStorePassword");
+  }
+  
 }