This is an automated email from the ASF dual-hosted git repository. michaelpearce pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/activemq-nms-openwire.git
commit 44bf1fd0f617846f8e718c1f4782c47311324aa0 Author: Bruce Dodson <[email protected]> AuthorDate: Thu Jun 16 12:09:36 2022 -0700 AMQNET-768 Update negotiation and validation of SSL protocol AMQNET-768 Update negotiation and validation of SSL protocol * Change SslContext default constructor to defer to OS in lieu of defaulting to TLS 1.0, using value "None" * Change GetAllowedProtocol to return None when SslProtocol value is invalid / empty / null * Validate SslProtocol and fail fast where it can be assigned from externally in SslTransport and SslTransportFactory --- src/Transport/Tcp/SslContext.cs | 2 +- src/Transport/Tcp/SslTransport.cs | 26 ++++++++++++++++++-------- src/Transport/Tcp/SslTransportFactory.cs | 19 +++++++++++++++++-- 3 files changed, 36 insertions(+), 11 deletions(-) diff --git a/src/Transport/Tcp/SslContext.cs b/src/Transport/Tcp/SslContext.cs index d35e0e2..db5b723 100644 --- a/src/Transport/Tcp/SslContext.cs +++ b/src/Transport/Tcp/SslContext.cs @@ -6,7 +6,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp { private String sslProtocol; - public SslContext() : this("Tls") + public SslContext() : this("None") { } diff --git a/src/Transport/Tcp/SslTransport.cs b/src/Transport/Tcp/SslTransport.cs index 17f2e06..a7316a0 100644 --- a/src/Transport/Tcp/SslTransport.cs +++ b/src/Transport/Tcp/SslTransport.cs @@ -33,7 +33,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp private string brokerCertFilename; private string keyStoreName; private string keyStoreLocation; - private string sslProtocol; + internal string sslProtocol; private bool acceptInvalidBrokerCert = false; private SslStream sslStream; @@ -121,7 +121,21 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp public string SslProtocol { get { return this.sslProtocol; } - set { this.sslProtocol = value; } + set + { + if (String.IsNullOrEmpty(value)) + { + this.sslProtocol = null; + } + else if (Enum.TryParse<SslProtocols>(value, true, out var _)) + { + this.sslProtocol = value; + } + else + { + throw new ArgumentException($"Requested value '{value}' was not found in {nameof(SslProtocols)}."); + } + } } protected override Stream CreateSocketStream() @@ -325,12 +339,8 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp private SslProtocols GetAllowedProtocol() { - if (!String.IsNullOrEmpty(SslProtocol)) - { - return (SslProtocols)Enum.Parse(typeof(SslProtocols), SslProtocol, true); - } - - return SslProtocols.Default; + Enum.TryParse<SslProtocols>(sslProtocol, true, out var parsedOrNone); + return parsedOrNone; } } } diff --git a/src/Transport/Tcp/SslTransportFactory.cs b/src/Transport/Tcp/SslTransportFactory.cs index 2fdb7a1..91a86c2 100644 --- a/src/Transport/Tcp/SslTransportFactory.cs +++ b/src/Transport/Tcp/SslTransportFactory.cs @@ -18,6 +18,7 @@ using System; using System.Web; using System.Net.Sockets; +using System.Security.Authentication; namespace Apache.NMS.ActiveMQ.Transport.Tcp { @@ -89,7 +90,21 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp public string SslProtocol { get { return this.sslProtocol; } - set { this.sslProtocol = value; } + set + { + if (String.IsNullOrEmpty(value)) + { + this.sslProtocol = null; + } + else if (Enum.TryParse<SslProtocols>(value, true, out var _)) + { + this.sslProtocol = value; + } + else + { + throw new ArgumentException($"Requested value '{value}' was not found in {nameof(SslProtocols)}."); + } + } } protected override ITransport DoCreateTransport(Uri location, Socket socket, IWireFormat wireFormat ) @@ -115,7 +130,7 @@ namespace Apache.NMS.ActiveMQ.Transport.Tcp transport.KeyStoreLocation = this.keyStoreLocation; transport.KeyStoreName = this.keyStoreName; transport.AcceptInvalidBrokerCert = this.acceptInvalidBrokerCert; - transport.SslProtocol = this.sslProtocol; + transport.sslProtocol = this.sslProtocol; // bypass revalidation return transport; }
