VYSPER-344: s2s connector: make certificate checking pluggable
Project: http://git-wip-us.apache.org/repos/asf/mina-vysper/repo Commit: http://git-wip-us.apache.org/repos/asf/mina-vysper/commit/6bdfe524 Tree: http://git-wip-us.apache.org/repos/asf/mina-vysper/tree/6bdfe524 Diff: http://git-wip-us.apache.org/repos/asf/mina-vysper/diff/6bdfe524 Branch: refs/heads/master Commit: 6bdfe524ca609e40df322465abe287f518ad7190 Parents: 8852fb3 Author: Bernd Fondermann <[email protected]> Authored: Mon Jul 1 14:02:33 2013 +0200 Committer: Bernd Fondermann <[email protected]> Committed: Mon Jul 1 14:02:33 2013 +0200 ---------------------------------------------------------------------- .../vysper/spring/SpringCompatibleXMPPServer.java | 6 ++++++ .../apache/vysper/xmpp/server/ServerFeatures.java | 15 +++++++++++++++ .../org/apache/vysper/xmpp/server/XMPPServer.java | 16 +++++++++++----- 3 files changed, 32 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mina-vysper/blob/6bdfe524/server/core/src/main/java/org/apache/vysper/spring/SpringCompatibleXMPPServer.java ---------------------------------------------------------------------- diff --git a/server/core/src/main/java/org/apache/vysper/spring/SpringCompatibleXMPPServer.java b/server/core/src/main/java/org/apache/vysper/spring/SpringCompatibleXMPPServer.java index e3aba16..a05ed1e 100644 --- a/server/core/src/main/java/org/apache/vysper/spring/SpringCompatibleXMPPServer.java +++ b/server/core/src/main/java/org/apache/vysper/spring/SpringCompatibleXMPPServer.java @@ -44,6 +44,7 @@ public class SpringCompatibleXMPPServer extends XMPPServer { protected String certificatePassword = null; protected boolean enableFederationFeature = false; + protected boolean disableFederationServerCertificateChecks = false; public SpringCompatibleXMPPServer(String domain) { super(domain); @@ -71,10 +72,15 @@ public class SpringCompatibleXMPPServer extends XMPPServer { this.enableFederationFeature = enableFederationFeature; } + public void setDisableFederationServerCertificateChecks(boolean disable) { + this.disableFederationServerCertificateChecks = disable; + } + @Override protected ServerFeatures createServerFeatures() { final ServerFeatures serverFeatures = super.createServerFeatures(); serverFeatures.setRelayingToFederationServers(enableFederationFeature); + serverFeatures.setCheckFederationServerCertificates(!disableFederationServerCertificateChecks); return serverFeatures; } http://git-wip-us.apache.org/repos/asf/mina-vysper/blob/6bdfe524/server/core/src/main/java/org/apache/vysper/xmpp/server/ServerFeatures.java ---------------------------------------------------------------------- diff --git a/server/core/src/main/java/org/apache/vysper/xmpp/server/ServerFeatures.java b/server/core/src/main/java/org/apache/vysper/xmpp/server/ServerFeatures.java index d6b0eba..83f9150 100644 --- a/server/core/src/main/java/org/apache/vysper/xmpp/server/ServerFeatures.java +++ b/server/core/src/main/java/org/apache/vysper/xmpp/server/ServerFeatures.java @@ -52,6 +52,13 @@ public class ServerFeatures { private boolean relayToFederationServers = false; /** + * flag saying if other server's certificates should be checked (chain-of-trust, validity etc.) + * if this flag is set to false, a secure connection is established, but the other end of the + * connection might be any server. + */ + private boolean checkFederationServerCertificates = true; + + /** * counter, how many times a session can try authentication before session is terminated */ private int authenticationRetries = 3; @@ -114,6 +121,14 @@ public class ServerFeatures { this.relayToFederationServers = relayToFederationServers; } + public boolean isCheckingFederationServerCertificates() { + return checkFederationServerCertificates; + } + + public void setCheckFederationServerCertificates(boolean checkFederationServerCertificates) { + this.checkFederationServerCertificates = checkFederationServerCertificates; + } + public boolean isDeliveringMessageToHighestPriorityResourcesOnly() { return deliverMessageToHighestPriorityResourcesOnly; } http://git-wip-us.apache.org/repos/asf/mina-vysper/blob/6bdfe524/server/core/src/main/java/org/apache/vysper/xmpp/server/XMPPServer.java ---------------------------------------------------------------------- diff --git a/server/core/src/main/java/org/apache/vysper/xmpp/server/XMPPServer.java b/server/core/src/main/java/org/apache/vysper/xmpp/server/XMPPServer.java index bb1b13d..72e25e6 100644 --- a/server/core/src/main/java/org/apache/vysper/xmpp/server/XMPPServer.java +++ b/server/core/src/main/java/org/apache/vysper/xmpp/server/XMPPServer.java @@ -35,6 +35,7 @@ import org.apache.vysper.xmpp.authentication.Plain; import org.apache.vysper.xmpp.authentication.SASLMechanism; import org.apache.vysper.xmpp.cryptography.NonCheckingX509TrustManagerFactory; import org.apache.vysper.xmpp.cryptography.InputStreamBasedTLSContextFactory; +import org.apache.vysper.xmpp.cryptography.TrustManagerFactory; import org.apache.vysper.xmpp.delivery.OfflineStanzaReceiver; import org.apache.vysper.xmpp.delivery.StanzaRelayBroker; import org.apache.vysper.xmpp.delivery.inbound.DeliveringExternalInboundStanzaRelay; @@ -134,13 +135,21 @@ public class XMPPServer { public void start() throws Exception { - NonCheckingX509TrustManagerFactory bogusTrustManagerFactory = new NonCheckingX509TrustManagerFactory(); + ServerFeatures serverFeatures = createServerFeatures(); + serverFeatures.setAuthenticationMethods(saslMechanisms); + + TrustManagerFactory trustManagerFactory = null; // default, check certificates strictly + if (!serverFeatures.isCheckingFederationServerCertificates()) { + // switch to accepting *any* certificate + trustManagerFactory = new NonCheckingX509TrustManagerFactory(); + } + if (StringUtils.isNotEmpty(tlsCertificatePassword) && tlsCertificate == null) { throw new IllegalStateException("no TLS certificate loaded for the configured password"); } InputStreamBasedTLSContextFactory tlsContextFactory = new InputStreamBasedTLSContextFactory(tlsCertificate); tlsContextFactory.setPassword(tlsCertificatePassword); - tlsContextFactory.setTrustManagerFactory(bogusTrustManagerFactory); + tlsContextFactory.setTrustManagerFactory(trustManagerFactory); if(tlsKeyStoreType != null) { tlsContextFactory.setKeyStoreType(tlsKeyStoreType); } @@ -166,9 +175,6 @@ public class XMPPServer { stanzaRelayBroker.setInternalRelay(internalStanzaRelay); stanzaRelayBroker.setExternalRelay(externalStanzaRelay); - ServerFeatures serverFeatures = createServerFeatures(); - serverFeatures.setAuthenticationMethods(saslMechanisms); - serverRuntimeContext = new DefaultServerRuntimeContext(serverEntity, stanzaRelayBroker, serverFeatures, dictionaries, resourceRegistry); serverRuntimeContext.setStorageProviderRegistry(storageProviderRegistry);
