Issue Details (XML | Word | Printable)

Key: AMQ-1659
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: David Jencks
Reporter: Eric White
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
ActiveMQ

SSL Transport configured in wantClientAuth mode never asks for the client certificate during the SSL Handshake

Created: 10/Apr/08 02:15 AM   Updated: 11/Apr/08 01:21 AM
Return to search
Component/s: Transport
Affects Version/s: 4.1.1, 5.0.0
Fix Version/s: 4.1.2, 5.1.0

Time Tracking:
Original Estimate: 4 days, 8 hours
Original Estimate - 4 days, 8 hours
Remaining Estimate: 4 days, 8 hours
Remaining Estimate - 4 days, 8 hours
Time Spent: Not Specified
Remaining Estimate - 4 days, 8 hours

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works amq-411-complex-version.patch 2008-04-10 05:45 AM Eric White 3 kB
Text File Licensed for inclusion in ASF works amq-411-simple-version.patch 2008-04-10 05:47 AM Eric White 1 kB
Text File Licensed for inclusion in ASF works amq-500-complex-version.patch 2008-04-10 05:48 AM Eric White 3 kB
Text File Licensed for inclusion in ASF works amq-500-simple-version.patch 2008-04-10 05:49 AM Eric White 1 kB
Environment:
I think this is for all environments, it may be JDK dependent though.

I tested on:
Linux 2.6.20-gentoo-r7
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0-b105, mixed mode)


 Description  « Hide
See: http://java.sun.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setWantClientAuth(boolean)

"
A socket's client authentication setting is one of the following:

  • client authentication required
  • client authentication requested
  • no client authentication desired
    "

In the API it indicates that if you call either setWantClientAuth, or setNeedClientAuth it will override the call to the other.

Therefor I believe the following code only allows for ActiveMQ to be in two states:

  • Client Authentication Required (needClientAuth==true)
  • No client Authentication Desired (needClientAuth==false)

activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java

As setWantClientAuth is overridden by setNeedClientAuth.
public void bind() throws IOException {
super.bind();
((SSLServerSocket)this.serverSocket).setWantClientAuth(wantClientAuth);
((SSLServerSocket)this.serverSocket).setNeedClientAuth(needClientAuth);
}

I believe this the same issue as this Jetty issue: http://jira.codehaus.org/browse/JETTY-86

 All   Comments   Work Log   Change History   Subversion Commits   FishEye   Crucible      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Eric White added a comment - 10/Apr/08 05:36 AM 
 
activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java
public void bind() throws IOException { 
    super.bind();
    ((SSLServerSocket)this.serverSocket).setWantClientAuth(wantClientAuth);
    ((SSLServerSocket)this.serverSocket).setNeedClientAuth(needClientAuth); <--- This overrides setWantClientAuth
}

[ Permlink | « Hide ]
Eric White added a comment - 10/Apr/08 05:45 AM - edited
https://issues.apache.org/activemq/secure/attachment/16326/amq-411-complex-version.patch

This file is for ActiveMQ 4.1.1

I have tested this file locally and it works for me.

In this version Boolean properties are used instead of just boolean. This makes it possible to distinguish between true, false, and null. Corresponding to the underlying properties being set to true, false or not set at all.


Eric White made changes - 10/Apr/08 05:45 AM
Field Original Value New Value
Attachment amq-411-complex-version.patch [ 16326 ]
[ Permlink | « Hide ]
Eric White added a comment - 10/Apr/08 05:47 AM - edited
https://issues.apache.org/activemq/secure/attachment/16327/amq-411-simple-version.patch

This file is for ActiveMQ 4.1.1

I have tested this file locally and it works for me.

In this version only boolean properties are used. This make it impossible to know if the property was set on the Transport URL or not.

My personal belief is the complex version is better, but I supplied both as I'm unsure how the maintainers would like to see the issue resolved.


Eric White made changes - 10/Apr/08 05:47 AM
Attachment amq-411-simple-version.patch [ 16327 ]
[ Permlink | « Hide ]
Eric White added a comment - 10/Apr/08 05:48 AM - edited
https://issues.apache.org/activemq/secure/attachment/16328/amq-500-complex-version.patch

This file is for ActiveMQ 5.0.0

I have NOT TESTED this on ActiveMQ 5, but the looking at the source code, I think the issue is there. This patch does compile.

In this version Boolean properties are used instead of just boolean. This makes it possible to distinguish between true, false, and null. Corresponding to the underlying properties being set to true, false or not set at all.


Eric White made changes - 10/Apr/08 05:48 AM
Attachment amq-500-complex-version.patch [ 16328 ]
[ Permlink | « Hide ]
Eric White added a comment - 10/Apr/08 05:49 AM - edited
https://issues.apache.org/activemq/secure/attachment/16329/amq-500-simple-version.patch

This file is for ActiveMQ 5.0.0

I have NOT TESTED this on ActiveMQ 5, but the looking at the source code, I think the issue is there. This patch does compile.

In this version only boolean properties are used. This make it impossible to know if the property was set on the Transport URL or not.

My personal belief is the complex version is better, but I supplied both as I'm unsure how the maintainers would like to see the issue resolved.


Eric White made changes - 10/Apr/08 05:49 AM
Attachment amq-500-simple-version.patch [ 16329 ]
David Jencks made changes - 10/Apr/08 10:03 AM
Assignee David Jencks [ djencks ]
[ Permlink | « Hide ]
David Jencks added a comment - 10/Apr/08 10:07 AM
In the past I've fixed this bug (in other projects) like this:

public void bind() throws IOException {
super.bind();
if (needClientAuth) { ((SSLServerSocket)this.serverSocket).setNeedClientAuth(true); } else if (wantClientAuth) { ((SSLServerSocket)this.serverSocket).setWantClientAuth(true); }
}

which to me corresponds better to natural language usage like "I not only want client auth, I need it!"

Is there some reason you think that setting both flags true should be disallowed?


[ Permlink | « Hide ]
David Jencks added a comment - 10/Apr/08 10:13 AM
with luck 4.1.2 is out the door.... should be able to get it in 5.1.0 though

David Jencks made changes - 10/Apr/08 10:13 AM
Affects Version/s 5.0.0 [ 11712 ]
Fix Version/s 4.1.1 [ 11800 ]
Fix Version/s 4.1.3 [ 11901 ]
Fix Version/s 5.1.0 [ 11802 ]
646928 by  David Jencks (2 files)
10/Apr/08 12:19 PM (19 months, 10 days ago)
[ Permlink | « Hide ]
David Jencks added a comment - 10/Apr/08 12:40 PM
looks like it will make it into 4.1.2

David Jencks made changes - 10/Apr/08 12:40 PM
Fix Version/s 4.1.3 [ 11901 ]
Fix Version/s 4.1.2 [ 11801 ]
646936 by  David Jencks (2 files)
10/Apr/08 12:41 PM (19 months, 10 days ago)
Repository Revision Date User Message
AMQ #646936 Thu Apr 10 12:41:31 PDT 2008 djencks AMQ-1659 Fix want/needClientAuth code and test
Files Changed
MODIFY /activemq/trunk/activemq-core/src/test/java/org/apache/activemq/transport/tcp/SslTransportServerTest.java
MODIFY /activemq/trunk/activemq-core/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java

[ Permlink | « Hide ]
David Jencks added a comment - 10/Apr/08 12:42 PM
The test needed quite a bit of fixing up also. The proposed patches would definitely have broken the tests as they test all 4 combinations, and do not expect an exception if both flags are true.
4.1 rev 646928
trunk rev 646936

David Jencks made changes - 10/Apr/08 12:42 PM
Status Open [ 1 ] Closed [ 6 ]
Resolution Fixed [ 1 ]
[ Permlink | « Hide ]
Eric White added a comment - 11/Apr/08 01:21 AM

The reason I though throwing an exception was a good idea was, in
reading the JDK API, these two options are really mutually exclusive,
if you set one the other is unset. So, my thinking was URIs
containing: needClientAuth=true&wantClientAuth=true are technically
incorrect.

That being said, I prefer the approach that you took. Because from
the end users perspective it is very difficult to know that
needClientAuth and wantClientAuth override each other deep down inside
of the JDK. So as you say if the user configuring ActiveMQ and sets
needClientAuth then that should take precedence over wantClientAuth.
This is because needClientAuth is more restrictive of the two.

I'm sorry I didn't run the tests, that was a lapse of judgment on my part.

Would it be possible to update this page:
http://activemq.apache.org/contributing.html
To include something like this in the "Submitting patches" section:

Quick Check List:
1. Does the patch apply clean to the version it is supposed to fix.
2. Does the resutling patched code complie
3. Do the Unit tests run cleanly

All of these are obvious, but it never hurts, to remind everyone.

Thank you very much for fixing this in time for ActiveMQ 4.1.2. I
really appreciate the quick turn around.

Regards,
Eric


Create crucible review for all 2 changesets in

Powered by a free Atlassian JIRA open source license for Apache Software Foundation - ActiveMQ. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators