History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: AMQ-1659
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: David Jencks
Reporter: Eric White
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
ActiveMQ

SSL Transport configured in wantClientAuth mode never asks for the client certificate during the SSL Handshake

Created: 10/Apr/08 02:15 AM   Updated: 11/Apr/08 01:21 AM
Component/s: Transport
Affects Version/s: 5.0.0, 4.1.1
Fix Version/s: 4.1.2, 5.1.0

Time Tracking:
Original Estimate: 2 days
Original Estimate - 2 days
Remaining Estimate: 2 days
Remaining Estimate - 2 days
Time Spent: Not Specified
Remaining Estimate - 2 days

File Attachments: 1. Text File Licensed for inclusion in ASF works amq-411-complex-version.patch (3 kb)
2. Text File Licensed for inclusion in ASF works amq-411-simple-version.patch (1 kb)
3. Text File Licensed for inclusion in ASF works amq-500-complex-version.patch (3 kb)
4. Text File Licensed for inclusion in ASF works amq-500-simple-version.patch (1 kb)
Environment:
I think this is for all environments, it may be JDK dependent though.

I tested on:
Linux 2.6.20-gentoo-r7
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0-b105, mixed mode)


 Description  « Hide
See: http://java.sun.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setWantClientAuth(boolean)

"
A socket's client authentication setting is one of the following:

  • client authentication required
  • client authentication requested
  • no client authentication desired
    "

In the API it indicates that if you call either setWantClientAuth, or setNeedClientAuth it will override the call to the other.

Therefor I believe the following code only allows for ActiveMQ to be in two states:

  • Client Authentication Required (needClientAuth==true)
  • No client Authentication Desired (needClientAuth==false)

activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java

As setWantClientAuth is overridden by setNeedClientAuth.
public void bind() throws IOException { super.bind(); ((SSLServerSocket)this.serverSocket).setWantClientAuth(wantClientAuth); ((SSLServerSocket)this.serverSocket).setNeedClientAuth(needClientAuth); }

I believe this the same issue as this Jetty issue: http://jira.codehaus.org/browse/JETTY-86

 All   Comments   Work Log   Change History   Subversion Commits   FishEye   Crucible      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Eric White - 10/Apr/08 05:36 AM 
 
activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
public void bind() throws IOException { 
    super.bind();
    ((SSLServerSocket)this.serverSocket).setWantClientAuth(wantClientAuth);
    ((SSLServerSocket)this.serverSocket).setNeedClientAuth(needClientAuth); <--- This overrides setWantClientAuth
}

[ Permlink | « Hide ]
Eric White - 10/Apr/08 05:45 AM - edited
https://issues.apache.org/activemq/secure/attachment/16326/amq-411-complex-version.patch

This file is for ActiveMQ 4.1.1

I have tested this file locally and it works for me.

In this version Boolean properties are used instead of just boolean. This makes it possible to distinguish between true, false, and null. Corresponding to the underlying properties being set to true, false or not set at all.


[ Permlink | « Hide ]
Eric White - 10/Apr/08 05:47 AM - edited
https://issues.apache.org/activemq/secure/attachment/16327/amq-411-simple-version.patch

This file is for ActiveMQ 4.1.1

I have tested this file locally and it works for me.

In this version only boolean properties are used. This make it impossible to know if the property was set on the Transport URL or not.

My personal belief is the complex version is better, but I supplied both as I'm unsure how the maintainers would like to see the issue resolved.


[ Permlink | « Hide ]
Eric White - 10/Apr/08 05:48 AM - edited
https://issues.apache.org/activemq/secure/attachment/16328/amq-500-complex-version.patch

This file is for ActiveMQ 5.0.0

I have NOT TESTED this on ActiveMQ 5, but the looking at the source code, I think the issue is there. This patch does compile.

In this version Boolean properties are used instead of just boolean. This makes it possible to distinguish between true, false, and null. Corresponding to the underlying properties being set to true, false or not set at all.


[ Permlink | « Hide ]
Eric White - 10/Apr/08 05:49 AM - edited
https://issues.apache.org/activemq/secure/attachment/16329/amq-500-simple-version.patch

This file is for ActiveMQ 5.0.0

I have NOT TESTED this on ActiveMQ 5, but the looking at the source code, I think the issue is there. This patch does compile.

In this version only boolean properties are used. This make it impossible to know if the property was set on the Transport URL or not.

My personal belief is the complex version is better, but I supplied both as I'm unsure how the maintainers would like to see the issue resolved.


[ Permlink | « Hide ]
David Jencks - 10/Apr/08 10:07 AM
In the past I've fixed this bug (in other projects) like this:

public void bind() throws IOException {
super.bind();
if (needClientAuth) { ((SSLServerSocket)this.serverSocket).setNeedClientAuth(true); } else if (wantClientAuth) { ((SSLServerSocket)this.serverSocket).setWantClientAuth(true); }
}

which to me corresponds better to natural language usage like "I not only want client auth, I need it!"

Is there some reason you think that setting both flags true should be disallowed?


[ Permlink | « Hide ]
David Jencks - 10/Apr/08 10:13 AM
with luck 4.1.2 is out the door.... should be able to get it in 5.1.0 though

[ Permlink | « Hide ]
David Jencks - 10/Apr/08 12:40 PM
looks like it will make it into 4.1.2

[ Permlink | « Hide ]
David Jencks - 10/Apr/08 12:42 PM
The test needed quite a bit of fixing up also. The proposed patches would definitely have broken the tests as they test all 4 combinations, and do not expect an exception if both flags are true.
4.1 rev 646928
trunk rev 646936

[ Permlink | « Hide ]
Eric White - 11/Apr/08 01:21 AM

The reason I though throwing an exception was a good idea was, in
reading the JDK API, these two options are really mutually exclusive,
if you set one the other is unset. So, my thinking was URIs
containing: needClientAuth=true&wantClientAuth=true are technically
incorrect.

That being said, I prefer the approach that you took. Because from
the end users perspective it is very difficult to know that
needClientAuth and wantClientAuth override each other deep down inside
of the JDK. So as you say if the user configuring ActiveMQ and sets
needClientAuth then that should take precedence over wantClientAuth.
This is because needClientAuth is more restrictive of the two.

I'm sorry I didn't run the tests, that was a lapse of judgment on my part.

Would it be possible to update this page:
http://activemq.apache.org/contributing.html
To include something like this in the "Submitting patches" section:

Quick Check List:
1. Does the patch apply clean to the version it is supposed to fix.
2. Does the resutling patched code complie
3. Do the Unit tests run cleanly

All of these are obvious, but it never hurts, to remind everyone.

Thank you very much for fixing this in time for ActiveMQ 4.1.2. I
really appreciate the quick turn around.

Regards,
Eric
Powered by a free Atlassian JIRA non-profit license for Apache Software Foundation - ActiveMQ. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12.2-#300) - Bug/feature request - Atlassian news - Contact Administrators