Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-5295

HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport uses wrong SSLSocketFactory

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.9.0
    • 5.10.1, 5.11.0
    • Connector

    • JBoss Fuse 6.1

    Description

      HttpsClientTransport is getting wrong SSLSocketFactory.

      The problem is here:

          private SchemeRegistry createSchemeRegistry() {

        SchemeRegistry schemeRegistry = new SchemeRegistry();
        try {
            // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
            // javax.net.ssl.trustStore, etc, properties by default
            SSLSocketFactory sslSocketFactory =
                    new SSLSocketFactory((javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory.getDefault(),
                    SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
            schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
            return schemeRegistry;
        } catch (Exception e) {
            throw new IllegalStateException("Failure trying to create scheme registry", e);
        }
    }

      The problem with that code is, that it never take SSLSocketFactory from spring context. So the one defined in XML is ignored.

      So it's code have to be replaced with:

          private SchemeRegistry createSchemeRegistry() {

        SchemeRegistry schemeRegistry = new SchemeRegistry();
        try {
            // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
            // javax.net.ssl.trustStore, etc, properties by default
            SSLSocketFactory sslSocketFactory = createSocketFactory();
            schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
            return schemeRegistry;
        } catch (Exception e) {
            throw new IllegalStateException("Failure trying to create scheme registry", e);
        }
    }

      And then new method should be added:

          /**
     * Creates a new SSL SocketFactory. The given factory will use user-provided
     * key and trust managers (if the user provided them).
     *
     * @return Newly created (Ssl)SocketFactory.
     * @throws IOException
     */
    protected SocketFactory createSocketFactory() throws IOException {
        if (SslContext.getCurrentSslContext() != null) {
            SslContext ctx = SslContext.getCurrentSslContext();
            try {
                return ctx.getSSLContext().getSocketFactory();
            } catch (Exception e) {
                throw IOExceptionSupport.create(e);
            }
        } else {
            return SSLSocketFactory.getDefault();
        }

    }

      This is consistent solution with other transports.

      I will prepare patches and tests for this scenerio.

      Greetings
      Piotr Klimczak

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            nannou9 Piotr Klimczak
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 16h
                16h
                Remaining:
                Remaining Estimate - 16h
                16h
                Logged:
                Time Spent - Not Specified
                Not Specified

                Slack

                  Issue deployment