Author: tabish
Date: Tue Mar 9 15:46:18 2010
New Revision: 920928
URL: http://svn.apache.org/viewvc?rev=920928&view=rev
Log:
https://issues.apache.org/activemq/browse/AMQNET-239
Update the SslTransport to add an acceptInvalidBrokerCert option and to supply
a client Certificate if the configuration supplies a location to read one from.
Modified:
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
Modified:
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
URL:
http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs?rev=920928&r1=920927&r2=920928&view=diff
==============================================================================
---
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
(original)
+++
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransport.cs
Tue Mar 9 15:46:18 2010
@@ -27,10 +27,11 @@ namespace Apache.NMS.ActiveMQ.Transport.
{
public class SslTransport : TcpTransport
{
- private string brokerCertLocation;
- private string brokerCertPassword;
private string clientCertLocation;
private string clientCertPassword;
+
+ private bool acceptInvalidBrokerCert = false;
+
private SslStream sslStream;
public SslTransport(Uri location, Socket socket, IWireFormat
wireFormat) :
@@ -43,29 +44,36 @@ namespace Apache.NMS.ActiveMQ.Transport.
Dispose(false);
}
- public string BrokerCertLocation
- {
- get { return this.brokerCertLocation; }
- set { this.brokerCertLocation = value; }
- }
-
- public string BrokerCertPassword
- {
- get { return this.brokerCertPassword; }
- set { this.brokerCertPassword = value; }
- }
-
+ /// <summary>
+ /// Indicates the location of the Client Certificate to use when the
Broker
+ /// is configured for Client Auth (not common). The SslTransport will
supply
+ /// this certificate to the SslStream via the SelectLocalCertificate
method.
+ /// </summary>
public string ClientCertLocation
{
get { return this.clientCertLocation; }
set { this.clientCertLocation = value; }
}
+ /// <summary>
+ /// Password for the Client Certificate specified via configuration.
+ /// </summary>
public string ClientCertPassword
{
get { return this.clientCertPassword; }
set { this.clientCertPassword = value; }
}
+
+ /// <summary>
+ /// Indicates if the SslTransport should ignore any errors in the
supplied Broker
+ /// certificate and connect anyway, this is useful in testing with a
default AMQ
+ /// broker certificate that is self signed.
+ /// </summary>
+ public bool AcceptInvalidBrokerCert
+ {
+ get { return this.acceptInvalidBrokerCert; }
+ set { this.acceptInvalidBrokerCert = value; }
+ }
protected override Stream CreateSocketStream()
{
@@ -73,11 +81,19 @@ namespace Apache.NMS.ActiveMQ.Transport.
{
return this.sslStream;
}
+
+ LocalCertificateSelectionCallback clientCertSelect = null;
+
+ if(this.clientCertLocation != null )
+ {
+ clientCertSelect = new
LocalCertificateSelectionCallback(SelectLocalCertificate);
+ }
this.sslStream = new SslStream(
new NetworkStream(this.socket),
false,
- new
RemoteCertificateValidationCallback(ValidateServerCertificate));
+ new
RemoteCertificateValidationCallback(ValidateServerCertificate),
+ clientCertSelect );
try
{
@@ -101,10 +117,10 @@ namespace Apache.NMS.ActiveMQ.Transport.
return sslStream;
}
- private static bool ValidateServerCertificate(object sender,
- X509Certificate
certificate,
- X509Chain chain,
- SslPolicyErrors
sslPolicyErrors)
+ private bool ValidateServerCertificate(object sender,
+ X509Certificate certificate,
+ X509Chain chain,
+ SslPolicyErrors sslPolicyErrors)
{
Tracer.DebugFormat("ValidateServerCertificate: Issued By {0}",
certificate.Issuer);
if(sslPolicyErrors == SslPolicyErrors.None)
@@ -126,9 +142,27 @@ namespace Apache.NMS.ActiveMQ.Transport.
{
Tracer.Error("Mismatch between Remote Cert Name.");
}
+ else if(sslPolicyErrors ==
SslPolicyErrors.RemoteCertificateNotAvailable)
+ {
+ Tracer.Error("The Remote Certificate was not Available.");
+ }
- // Just ignore any cert errors for now.
- return true;
+ // Configuration may or may not allow us to connect with an
invliad broker cert.
+ return AcceptInvalidBrokerCert;
}
+
+ private X509Certificate SelectLocalCertificate(object sender,
+ string targetHost,
+
X509CertificateCollection localCertificates,
+ X509Certificate
remoteCertificate,
+ string[]
acceptableIssuers)
+ {
+ Tracer.Debug("Client is selecting a local certificate.");
+
+ X509Certificate2 certificate = new X509Certificate2(
clientCertLocation, clientCertPassword );
+
+ return certificate;
+ }
+
}
}
Modified:
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
URL:
http://svn.apache.org/viewvc/activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs?rev=920928&r1=920927&r2=920928&view=diff
==============================================================================
---
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
(original)
+++
activemq/activemq-dotnet/Apache.NMS.ActiveMQ/trunk/src/main/csharp/Transport/Tcp/SslTransportFactory.cs
Tue Mar 9 15:46:18 2010
@@ -23,26 +23,13 @@ namespace Apache.NMS.ActiveMQ.Transport.
{
public class SslTransportFactory : TcpTransportFactory
{
- private string brokerCertLocation;
- private string brokerCertPassword;
private string clientCertLocation;
private string clientCertPassword;
+ private bool acceptInvalidBrokerCert = false;
public SslTransportFactory() : base()
{
}
-
- public string BrokerCertLocation
- {
- get { return this.brokerCertLocation; }
- set { this.brokerCertLocation = value; }
- }
-
- public string BrokerCertPassword
- {
- get { return this.brokerCertPassword; }
- set { this.brokerCertPassword = value; }
- }
public string ClientCertLocation
{
@@ -56,15 +43,20 @@ namespace Apache.NMS.ActiveMQ.Transport.
set { this.clientCertPassword = value; }
}
+ public bool AcceptInvalidBrokerCert
+ {
+ get { return this.acceptInvalidBrokerCert; }
+ set { this.acceptInvalidBrokerCert = value; }
+ }
+
protected override ITransport DoCreateTransport(Uri location,
Socket socket, IWireFormat wireFormat )
{
Tracer.Debug("Creating new instance of the SSL Transport.");
SslTransport transport = new SslTransport(location,
socket, wireFormat);
- transport.BrokerCertLocation = BrokerCertLocation;
- transport.BrokerCertPassword = BrokerCertPassword;
transport.ClientCertLocation = ClientCertLocation;
transport.ClientCertPassword = ClientCertPassword;
+ transport.AcceptInvalidBrokerCert = AcceptInvalidBrokerCert;
return transport;
}
