Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-5295

HTTPS Network Connector doesn't work with Mutual authentication- HTTPSClientTransport uses wrong SSLSocketFactory

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.9.0
    • 5.10.1, 5.11.0
    • Connector
    • JBoss Fuse 6.1

    Description

      HttpsClientTransport is getting wrong SSLSocketFactory.

      The problem is here:

          private SchemeRegistry createSchemeRegistry() {
      
              SchemeRegistry schemeRegistry = new SchemeRegistry();
              try {
                  // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
                  // javax.net.ssl.trustStore, etc, properties by default
                  SSLSocketFactory sslSocketFactory =
                          new SSLSocketFactory((javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory.getDefault(),
                          SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
                  schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
                  return schemeRegistry;
              } catch (Exception e) {
                  throw new IllegalStateException("Failure trying to create scheme registry", e);
              }
          }
      

      The problem with that code is, that it never take SSLSocketFactory from spring context. So the one defined in XML is ignored.

      So it's code have to be replaced with:

          private SchemeRegistry createSchemeRegistry() {
      
              SchemeRegistry schemeRegistry = new SchemeRegistry();
              try {
                  // register the default socket factory so that it looks at the javax.net.ssl.keyStore,
                  // javax.net.ssl.trustStore, etc, properties by default
                  SSLSocketFactory sslSocketFactory = createSocketFactory();
                  schemeRegistry.register(new Scheme("https", getRemoteUrl().getPort(), sslSocketFactory));
                  return schemeRegistry;
              } catch (Exception e) {
                  throw new IllegalStateException("Failure trying to create scheme registry", e);
              }
          }
      

      And then new method should be added:

          /**
           * Creates a new SSL SocketFactory. The given factory will use user-provided
           * key and trust managers (if the user provided them).
           *
           * @return Newly created (Ssl)SocketFactory.
           * @throws IOException
           */
          protected SocketFactory createSocketFactory() throws IOException {
              if (SslContext.getCurrentSslContext() != null) {
                  SslContext ctx = SslContext.getCurrentSslContext();
                  try {
                      return ctx.getSSLContext().getSocketFactory();
                  } catch (Exception e) {
                      throw IOExceptionSupport.create(e);
                  }
              } else {
                  return SSLSocketFactory.getDefault();
              }
      
          }
      

      This is consistent solution with other transports.

      I will prepare patches and tests for this scenerio.

      Greetings
      Piotr Klimczak

      Attachments

        Activity

          People

            Unassigned Unassigned
            nannou9 Piotr Klimczak
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 16h
                16h
                Remaining:
                Remaining Estimate - 16h
                16h
                Logged:
                Time Spent - Not Specified
                Not Specified