This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/master by this push:
new 410a552 ARTEMIS-2711 use peer host:port for acceptor SSL engine
new 93b68eb This closes #3081
410a552 is described below
commit 410a552894140cc9fac5cd1fed5b5d21cda999cb
Author: Justin Bertram <[email protected]>
AuthorDate: Tue Apr 14 11:01:46 2020 -0500
ARTEMIS-2711 use peer host:port for acceptor SSL engine
---
.../core/remoting/impl/netty/NettyAcceptor.java | 33 ++++++++++++++-------
.../ssl/CoreClientOverTwoWayOpenSSLServerTest.java | 29 +-----------------
.../ssl/CoreClientOverTwoWayOpenSSLTest.java | 4 +--
.../ssl/CoreClientOverTwoWaySSLTest.java | 6 ++--
.../resources/verified-client-side-keystore.jceks | Bin 2203 -> 2222 bytes
.../resources/verified-client-side-keystore.jks | Bin 2226 -> 2242 bytes
.../resources/verified-client-side-keystore.p12 | Bin 2565 -> 2581 bytes
.../verified-openssl-client-side-keystore.jceks | Bin 655 -> 674 bytes
.../verified-openssl-client-side-keystore.jks | Bin 679 -> 695 bytes
.../verified-openssl-server-side-truststore.jceks | Bin 543 -> 560 bytes
.../verified-openssl-server-side-truststore.jks | Bin 544 -> 560 bytes
.../verified-server-side-truststore.jceks | Bin 935 -> 952 bytes
.../resources/verified-server-side-truststore.jks | Bin 935 -> 952 bytes
.../resources/verified-server-side-truststore.p12 | Bin 1162 -> 1186 bytes
14 files changed, 29 insertions(+), 43 deletions(-)
diff --git
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
index 3b0234b..924f335 100644
---
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@@ -73,6 +73,7 @@ import io.netty.util.concurrent.GenericFutureListener;
import io.netty.util.concurrent.GlobalEventExecutor;
import org.apache.activemq.artemis.api.config.ActiveMQDefaultConfiguration;
import org.apache.activemq.artemis.api.core.ActiveMQException;
+import org.apache.activemq.artemis.api.core.Pair;
import org.apache.activemq.artemis.api.core.SimpleString;
import org.apache.activemq.artemis.api.core.TransportConfiguration;
import org.apache.activemq.artemis.api.core.management.CoreNotificationType;
@@ -404,12 +405,24 @@ public class NettyAcceptor extends AbstractAcceptor {
@Override
public void initChannel(Channel channel) throws Exception {
ChannelPipeline pipeline = channel.pipeline();
+ Pair<String, Integer> peerInfo = getPeerInfo(channel);
if (sslEnabled) {
- pipeline.addLast("ssl", getSslHandler(channel.alloc()));
+ pipeline.addLast("ssl", getSslHandler(channel.alloc(),
peerInfo.getA(), peerInfo.getB()));
pipeline.addLast("sslHandshakeExceptionHandler", new
SslHandshakeExceptionHandler());
}
pipeline.addLast(protocolHandler.getProtocolDecoder());
}
+
+ private Pair<String, Integer> getPeerInfo(Channel channel) {
+ try {
+ String[] peerInfo =
channel.remoteAddress().toString().replace("/", "").split(":");
+ return new Pair<>(peerInfo[0], Integer.parseInt(peerInfo[1]));
+ } catch (Exception e) {
+ logger.debug("Failed to parse peer info for SSL engine
initialization", e);
+ }
+
+ return new Pair<>(null, 0);
+ }
};
bootstrap.childHandler(factory);
@@ -498,12 +511,12 @@ public class NettyAcceptor extends AbstractAcceptor {
startServerChannels();
}
- public synchronized SslHandler getSslHandler(ByteBufAllocator alloc) throws
Exception {
+ public synchronized SslHandler getSslHandler(ByteBufAllocator alloc, String
peerHost, int peerPort) throws Exception {
SSLEngine engine;
if (sslProvider.equals(TransportConstants.OPENSSL_PROVIDER)) {
- engine = loadOpenSslEngine(alloc);
+ engine = loadOpenSslEngine(alloc, peerHost, peerPort);
} else {
- engine = loadJdkSslEngine();
+ engine = loadJdkSslEngine(peerHost, peerPort);
}
engine.setUseClientMode(false);
@@ -572,7 +585,7 @@ public class NettyAcceptor extends AbstractAcceptor {
return new SslHandler(engine);
}
- private SSLEngine loadJdkSslEngine() throws Exception {
+ private SSLEngine loadJdkSslEngine(String peerHost, int peerPort) throws
Exception {
final SSLContext context;
try {
if (kerb5Config == null && keyStorePath == null &&
TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider))
@@ -602,8 +615,8 @@ public class NettyAcceptor extends AbstractAcceptor {
SSLEngine engine = Subject.doAs(subject, new
PrivilegedExceptionAction<SSLEngine>() {
@Override
public SSLEngine run() {
- if (verifyHost) {
- return context.createSSLEngine(host, port);
+ if (peerHost != null && peerPort != 0) {
+ return context.createSSLEngine(peerHost, peerPort);
} else {
return context.createSSLEngine();
}
@@ -612,7 +625,7 @@ public class NettyAcceptor extends AbstractAcceptor {
return engine;
}
- private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc) throws
Exception {
+ private SSLEngine loadOpenSslEngine(ByteBufAllocator alloc, String
peerHost, int peerPort) throws Exception {
final SslContext context;
try {
if (kerb5Config == null && keyStorePath == null &&
TransportConstants.DEFAULT_TRUSTSTORE_PROVIDER.equals(keyStoreProvider))
@@ -642,8 +655,8 @@ public class NettyAcceptor extends AbstractAcceptor {
SSLEngine engine = Subject.doAs(subject, new
PrivilegedExceptionAction<SSLEngine>() {
@Override
public SSLEngine run() {
- if (verifyHost) {
- return context.newEngine(alloc, host, port);
+ if (peerHost != null && peerPort != 0) {
+ return context.newEngine(alloc, peerHost, peerPort);
} else {
return context.newEngine(alloc);
}
diff --git
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java
index f7fcca8..78502ec 100644
---
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java
+++
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLServerTest.java
@@ -74,34 +74,7 @@ public class CoreClientOverTwoWayOpenSSLServerTest extends
ActiveMQTestBase {
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
/**
- * These artifacts are required for testing 2-way SSL with open SSL - note
the EC key and ECDSA signature to comply with what OpenSSL offers
- *
- * Commands to create the JKS artifacts:
- * keytool -genkey -keystore openssl-client-side-keystore.jks -storepass
secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-client-side-keystore.jks -file
activemq-jks.cer -storepass secureexample
- * keytool -import -keystore openssl-server-side-truststore.jks -file
activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore openssl-server-side-keystore.jks -storepass
secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-server-side-keystore.jks -file
activemq-jks.cer -storepass secureexample
- * keytool -import -keystore openssl-client-side-truststore.jks -file
activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jks
-storepass secureexample -keypass secureexample -dname "CN=localhost,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore verified-openssl-client-side-keystore.jks
-file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore verified-openssl-server-side-truststore.jks
-file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the JCEKS artifacts:
- * keytool -genkey -keystore openssl-client-side-keystore.jceks -storetype
JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ
Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC
-sigalg SHA256withECDSA
- * keytool -export -keystore openssl-client-side-keystore.jceks -file
activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore openssl-server-side-truststore.jceks
-storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass
secureexample -noprompt
- *
- * keytool -genkey -keystore openssl-server-side-keystore.jceks -storetype
JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ
Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC
-sigalg SHA256withECDSA
- * keytool -export -keystore openssl-server-side-keystore.jceks -file
activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore openssl-client-side-truststore.jceks
-storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass
secureexample -noprompt
- *
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks
-storetype JCEKS -storepass secureexample -keypass secureexample -dname
"CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg
SHA256withECDSA
- * keytool -export -keystore verified-openssl-client-side-keystore.jceks
-file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore verified-openssl-server-side-truststore.jceks
-storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass
secureexample -noprompt
- *
+ * See {@link CoreClientOverTwoWayOpenSSLTest} for details about the SSL
artifacts needed for this test.
*/
private String storeType;
diff --git
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java
index e557dac..cdb8d03 100644
---
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java
+++
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWayOpenSSLTest.java
@@ -85,7 +85,7 @@ public class CoreClientOverTwoWayOpenSSLTest extends
ActiveMQTestBase {
* keytool -export -keystore openssl-server-side-keystore.jks -file
activemq-jks.cer -storepass secureexample
* keytool -import -keystore openssl-client-side-truststore.jks -file
activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
*
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jks
-storepass secureexample -keypass secureexample -dname "CN=localhost,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
+ * keytool -genkey -keystore verified-openssl-client-side-keystore.jks
-storepass secureexample -keypass secureexample -dname "CN=localhost,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
-ext san=ip:127.0.0.1
* keytool -export -keystore verified-openssl-client-side-keystore.jks
-file activemq-jks.cer -storepass secureexample
* keytool -import -keystore verified-openssl-server-side-truststore.jks
-file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
*
@@ -98,7 +98,7 @@ public class CoreClientOverTwoWayOpenSSLTest extends
ActiveMQTestBase {
* keytool -export -keystore openssl-server-side-keystore.jceks -file
activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore openssl-client-side-truststore.jceks
-storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass
secureexample -noprompt
*
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks
-storetype JCEKS -storepass secureexample -keypass secureexample -dname
"CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg
SHA256withECDSA
+ * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks
-storetype JCEKS -storepass secureexample -keypass secureexample -dname
"CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg
SHA256withECDSA -ext san=ip:127.0.0.1
* keytool -export -keystore verified-openssl-client-side-keystore.jceks
-file activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore verified-openssl-server-side-truststore.jceks
-storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass
secureexample -noprompt
*
diff --git
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
index adf6951..b195f14 100644
---
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
+++
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
@@ -85,7 +85,7 @@ public class CoreClientOverTwoWaySSLTest extends
ActiveMQTestBase {
* keytool -export -keystore client-side-keystore.jks -file
activemq-jks.cer -storepass secureexample
* keytool -import -keystore server-side-truststore.jks -file
activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
*
- * keytool -genkey -keystore verified-client-side-keystore.jks -storepass
secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis,
O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+ * keytool -genkey -keystore verified-client-side-keystore.jks -storepass
secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
* keytool -export -keystore verified-client-side-keystore.jks -file
activemq-jks.cer -storepass secureexample
* keytool -import -keystore verified-server-side-truststore.jks -file
activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
*
@@ -94,7 +94,7 @@ public class CoreClientOverTwoWaySSLTest extends
ActiveMQTestBase {
* keytool -export -keystore client-side-keystore.jceks -file
activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore server-side-truststore.jceks -storetype JCEKS
-file activemq-jceks.cer -storepass secureexample -keypass secureexample
-noprompt
*
- * keytool -genkey -keystore verified-client-side-keystore.jceks -storetype
JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+ * keytool -genkey -keystore verified-client-side-keystore.jceks -storetype
JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
* keytool -export -keystore verified-client-side-keystore.jceks -file
activemq-jceks.cer -storetype jceks -storepass secureexample
* keytool -import -keystore verified-server-side-truststore.jceks
-storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass
secureexample -noprompt
*
@@ -103,7 +103,7 @@ public class CoreClientOverTwoWaySSLTest extends
ActiveMQTestBase {
* keytool -export -keystore client-side-keystore.p12 -file
activemq-p12.cer -storetype PKCS12 -storepass secureexample
* keytool -import -keystore server-side-truststore.p12 -storetype PKCS12
-file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
*
- * keytool -genkey -keystore verified-client-side-keystore.p12 -storetype
PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+ * keytool -genkey -keystore verified-client-side-keystore.p12 -storetype
PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost,
OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
* keytool -export -keystore verified-client-side-keystore.p12 -file
activemq-p12.cer -storetype PKCS12 -storepass secureexample
* keytool -import -keystore verified-server-side-truststore.p12 -storetype
PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample
-noprompt
*/
diff --git
a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks
b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks
index 250832b..b8dad47 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks and
b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks differ
diff --git
a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks
b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks
index 88e7e40..e9980c3 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks and
b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks differ
diff --git
a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12
b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12
index 3cee34a..2ece21e 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 and
b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 differ
diff --git
a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks
b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks
index fc8c4cc..d2f4128 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks
and
b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks
differ
diff --git
a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks
b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks
index d60a9e7..5c25213 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks
and
b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks
differ
diff --git
a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks
b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks
index c91e3f2..d1b2122 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks
and
b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks
differ
diff --git
a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks
b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks
index 22fda4b..6be63f5 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks
and
b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks
differ
diff --git
a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks
b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks
index e2bd4b3..54fbaa7 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks and
b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks
differ
diff --git
a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks
b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks
index 8d2288a..ec96e7b 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks and
b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks differ
diff --git
a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12
b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12
index 619adb2..5da5615 100644
Binary files
a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 and
b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 differ
