Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-5295

HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport uses wrong SSLSocketFactory

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.9.0
    • Fix Version/s: 5.10.1, 5.11.0
    • Component/s: Connector
    • Labels:
    • Environment:

      JBoss Fuse 6.1

      Description

      HttpsClientTransport is getting wrong SSLSocketFactory.

      The problem is here:

          private SchemeRegistry createSchemeRegistry() {
      
              SchemeRegistry schemeRegistry = new SchemeRegistry();
              try {
                  // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
                  // javax.net.ssl.trustStore, etc, properties by default
                  SSLSocketFactory sslSocketFactory =
                          new SSLSocketFactory((javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory.getDefault(),
                          SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
                  schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
                  return schemeRegistry;
              } catch (Exception e) {
                  throw new IllegalStateException("Failure trying to create scheme registry", e);
              }
          }
      

      The problem with that code is, that it never take SSLSocketFactory from spring context. So the one defined in XML is ignored.

      So it's code have to be replaced with:

          private SchemeRegistry createSchemeRegistry() {
      
              SchemeRegistry schemeRegistry = new SchemeRegistry();
              try {
                  // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
                  // javax.net.ssl.trustStore, etc, properties by default
                  SSLSocketFactory sslSocketFactory = createSocketFactory();
                  schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
                  return schemeRegistry;
              } catch (Exception e) {
                  throw new IllegalStateException("Failure trying to create scheme registry", e);
              }
          }
      

      And then new method should be added:

          /**
           * Creates a new SSL SocketFactory. The given factory will use user-provided
           * key and trust managers (if the user provided them).
           *
           * @return Newly created (Ssl)SocketFactory.
           * @throws IOException
           */
          protected SocketFactory createSocketFactory() throws IOException {
              if (SslContext.getCurrentSslContext() != null) {
                  SslContext ctx = SslContext.getCurrentSslContext();
                  try {
                      return ctx.getSSLContext().getSocketFactory();
                  } catch (Exception e) {
                      throw IOExceptionSupport.create(e);
                  }
              } else {
                  return SSLSocketFactory.getDefault();
              }
      
          }
      

      This is consistent solution with other transports.

      I will prepare patches and tests for this scenerio.

      Greetings
      Piotr Klimczak

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nannou9 Piotr Klimczak
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 16h
                16h
                Remaining:
                Remaining Estimate - 16h
                16h
                Logged:
                Time Spent - Not Specified
                Not Specified