Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-3785

ActiveMQSslConnectionFactory does not detect ssl request in failover URIs when creating transports

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.0
    • Fix Version/s: 5.7.0
    • Component/s: Transport
    • Labels:
      None
    • Environment:

      Looks global from SVN source but I detected with JDK 1.6.0_31 on Redhat Linux client using AMQ 5.5.0

      Description

      The createTransport method in ActiveMQSslConnectionFactory delegates to the super class if the URI scheme
      is not ssl. Failover URIs have 'failover' as the URI scheme and so always delegate to the superclass. This causes
      ssl connections that need key or trust stores manipulated by code to hang or fail as the credentials are not available.

      Code from SVN trunk for ActiveMQSslConnectionFactory shows why

      protected Transport createTransport() throws JMSException {
      // If the given URI is non-ssl, let superclass handle it.
      if (!brokerURL.getScheme().equals("ssl"))

      { return super.createTransport(); }

      // !! jackf comment Code below never reached for failover URIs like failover:ssl:... or failover:(tcp:..., ssl...)
      // because the URI Scheme is failover, not ssl.
      // Therefore connections that need a keyManager or trustManager fail

      try {
      if (keyManager == null || trustManager == null)

      { trustManager = createTrustManager(); keyManager = createKeyManager(); // secureRandom can be left as null }

      SslTransportFactory sslFactory = new SslTransportFactory();
      SslContext ctx = new SslContext(keyManager, trustManager, secureRandom);
      SslContext.setCurrentSslContext(ctx);
      return sslFactory.doConnect(brokerURL);
      } catch (Exception e)

      { throw JMSExceptionSupport.create("Could not create Transport. Reason: " + e, e); }

      }

      (Vague) Solution: 1) need better pattern match than URI scheme to detect requests for ssl connections. 2) A failover URI is essentially a list of URIs so multiple ssl transport requests may be in the failover list. A first start is to require that the same key and trust stores are used for all failover connections but you may want to consider allowing customized stores for each of the ssl connections.

        Attachments

        1. ssltruststore.patch
          8 kB
          Claudio Corsi
        2. server.keystore
          2 kB
          Claudio Corsi
        3. client.keystore
          2 kB
          Claudio Corsi
        4. ActiveMQFailoverTest.zip
          3.57 MB
          Bryce Prescott

          Activity

            People

            • Assignee:
              gtully Gary Tully
              Reporter:
              jackf Jack Fitch
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: