[AMQ-5295] HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport uses wrong SSLSocketFactory - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 5.9.0
Fix Version/s: 5.10.1, 5.11.0
Component/s: Connector
Labels:
- SSL
- TLS
- mutualSSL
Environment:

JBoss Fuse 6.1

Description

HttpsClientTransport is getting wrong SSLSocketFactory.

The problem is here:

    private SchemeRegistry createSchemeRegistry() {

        SchemeRegistry schemeRegistry = new SchemeRegistry();
        try {
            // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
            // javax.net.ssl.trustStore, etc, properties by default
            SSLSocketFactory sslSocketFactory =
                    new SSLSocketFactory((javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory.getDefault(),
                    SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
            schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
            return schemeRegistry;
        } catch (Exception e) {
            throw new IllegalStateException("Failure trying to create scheme registry", e);
        }
    }

The problem with that code is, that it never take SSLSocketFactory from spring context. So the one defined in XML is ignored.

So it's code have to be replaced with:

    private SchemeRegistry createSchemeRegistry() {

        SchemeRegistry schemeRegistry = new SchemeRegistry();
        try {
            // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
            // javax.net.ssl.trustStore, etc, properties by default
            SSLSocketFactory sslSocketFactory = createSocketFactory();
            schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
            return schemeRegistry;
        } catch (Exception e) {
            throw new IllegalStateException("Failure trying to create scheme registry", e);
        }
    }

And then new method should be added:

    /**
     * Creates a new SSL SocketFactory. The given factory will use user-provided
     * key and trust managers (if the user provided them).
     *
     * @return Newly created (Ssl)SocketFactory.
     * @throws IOException
     */
    protected SocketFactory createSocketFactory() throws IOException {
        if (SslContext.getCurrentSslContext() != null) {
            SslContext ctx = SslContext.getCurrentSslContext();
            try {
                return ctx.getSSLContext().getSocketFactory();
            } catch (Exception e) {
                throw IOExceptionSupport.create(e);
            }
        } else {
            return SSLSocketFactory.getDefault();
        }

    }

This is consistent solution with other transports.

I will prepare patches and tests for this scenerio.

Greetings
Piotr Klimczak

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Piotr Klimczak

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 29/Jul/14 20:04

Updated:: 11/Feb/15 10:43

Resolved:: 13/Aug/14 16:45

Time Tracking

Estimated:

16h

Remaining:

16h

Logged:

Not Specified