svn commit: r1605127 - in /qpid/trunk/qpid/cpp/src/qpid: client/ client/amqp0_10/ messaging/ messaging/amqp/ sys/ssl/

gsim Tue, 24 Jun 2014 09:16:33 -0700

Author: gsim
Date: Tue Jun 24 16:15:34 2014
New Revision: 1605127

URL: http://svn.apache.org/r1605127
Log:
QPID-5841: allow SSL hostname verification failure to be ignored (with NSS)


Modified:
    qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.cpp
    qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.h
    qpid/trunk/qpid/cpp/src/qpid/client/SslConnector.cpp
    qpid/trunk/qpid/cpp/src/qpid/client/amqp0_10/ConnectionImpl.cpp
    qpid/trunk/qpid/cpp/src/qpid/messaging/ConnectionOptions.cpp
    qpid/trunk/qpid/cpp/src/qpid/messaging/amqp/SslTransport.cpp
    qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp
    qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.h

Modified: qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.cpp?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.cpp Tue Jun 24 
16:15:34 2014
@@ -41,7 +41,8 @@ ConnectionSettings::ConnectionSettings()
     service(qpid::saslName),
     minSsf(0),
     maxSsf(256),
-    sslCertName("")
+    sslCertName(""),
+    sslIgnoreHostnameVerificationFailure(false)
 {}
 
 ConnectionSettings::~ConnectionSettings() {}

Modified: qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.h
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.h?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/client/ConnectionSettings.h Tue Jun 24 
16:15:34 2014
@@ -133,6 +133,11 @@ struct QPID_CLIENT_CLASS_EXTERN Connecti
      * Passed as client-propreties on opening the connecction.
      */
     framing::FieldTable clientProperties;
+
+    /**
+     * If using SSL, connect regardless of hostname verification failure.
+     */
+    bool sslIgnoreHostnameVerificationFailure;
 };
 
 }} // namespace qpid::client

Modified: qpid/trunk/qpid/cpp/src/qpid/client/SslConnector.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/client/SslConnector.cpp?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/client/SslConnector.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/client/SslConnector.cpp Tue Jun 24 16:15:34 
2014
@@ -183,6 +183,9 @@ SslConnector::SslConnector(Poller::share
         QPID_LOG(debug, "ssl-cert-name = " << settings.sslCertName);
         socket.setCertName(settings.sslCertName);
     }
+    if (settings.sslIgnoreHostnameVerificationFailure) {
+        socket.ignoreHostnameVerificationFailure();
+    }
 }
 
 SslConnector::~SslConnector() {

Modified: qpid/trunk/qpid/cpp/src/qpid/client/amqp0_10/ConnectionImpl.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/client/amqp0_10/ConnectionImpl.cpp?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/client/amqp0_10/ConnectionImpl.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/client/amqp0_10/ConnectionImpl.cpp Tue Jun 24 
16:15:34 2014
@@ -155,6 +155,8 @@ void ConnectionImpl::setOption(const std
         settings.protocol = value.asString();
     } else if (name == "ssl-cert-name" || name == "ssl_cert_name") {
         settings.sslCertName = value.asString();
+    } else if (name == "ssl-ignore-hostname-verification-failure" || name == 
"ssl_ignore_hostname_verification_failure") {
+        settings.sslIgnoreHostnameVerificationFailure = value;
     } else if (name == "x-reconnect-on-limit-exceeded" || name == 
"x_reconnect_on_limit_exceeded") {
         reconnectOnLimitExceeded = value;
     } else if (name == "client-properties" || name == "client_properties") {

Modified: qpid/trunk/qpid/cpp/src/qpid/messaging/ConnectionOptions.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/messaging/ConnectionOptions.cpp?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/messaging/ConnectionOptions.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/messaging/ConnectionOptions.cpp Tue Jun 24 
16:15:34 2014
@@ -111,6 +111,8 @@ void ConnectionOptions::set(const std::s
         protocol = value.asString();
     } else if (name == "ssl-cert-name" || name == "ssl_cert_name") {
         sslCertName = value.asString();
+    } else if (name == "ssl-ignore-hostname-verification-failure" || name == 
"ssl_ignore_hostname_verification_failure") {
+        sslIgnoreHostnameVerificationFailure = value;
     } else if (name == "x-reconnect-on-limit-exceeded" || name == 
"x_reconnect_on_limit_exceeded") {
         reconnectOnLimitExceeded = value;
     } else if (name == "container-id" || name == "container_id") {

Modified: qpid/trunk/qpid/cpp/src/qpid/messaging/amqp/SslTransport.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/messaging/amqp/SslTransport.cpp?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/messaging/amqp/SslTransport.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/messaging/amqp/SslTransport.cpp Tue Jun 24 
16:15:34 2014
@@ -60,6 +60,9 @@ SslTransport::SslTransport(TransportCont
         QPID_LOG(debug, "ssl-cert-name = " << options->sslCertName);
         socket.setCertName(options->sslCertName);
     }
+    if (options->sslIgnoreHostnameVerificationFailure) {
+        socket.ignoreHostnameVerificationFailure();
+    }
 }
 
 void SslTransport::connect(const std::string& host, const std::string& port)

Modified: qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp Tue Jun 24 16:15:34 2014
@@ -45,6 +45,7 @@
 #include <pk11pub.h>
 #include <ssl.h>
 #include <key.h>
+#include <sslerr.h>
 
 #include <boost/format.hpp>
 
@@ -83,7 +84,7 @@ std::string getDomainFromSubject(std::st
 }
 
 SslSocket::SslSocket(const std::string& certName, bool clientAuth) :
-    nssSocket(0), certname(certName), prototype(0)
+    nssSocket(0), certname(certName), prototype(0), hostnameVerification(true)
 {
     //configure prototype socket:
     prototype = SSL_ImportFD(0, PR_NewTCPSocket());
@@ -105,6 +106,11 @@ SslSocket::SslSocket(int fd, PRFileDesc*
     NSS_CHECK(SSL_ResetHandshake(nssSocket, PR_TRUE));
 }
 
+void SslSocket::ignoreHostnameVerificationFailure()
+{
+    hostnameVerification = false;
+}
+
 void SslSocket::setNonblocking() const
 {
     if (!nssSocket) {
@@ -134,6 +140,18 @@ void SslSocket::connect(const SocketAddr
     BSDSocket::connect(addr);
 }
 
+namespace {
+SECStatus bad_certificate(void* arg, PRFileDesc* /*fd*/) {
+    switch (PR_GetError()) {
+      case SSL_ERROR_BAD_CERT_DOMAIN:
+        QPID_LOG(info, "Ignoring hostname verification failure for " << (const 
char*) arg);
+        return SECSuccess;
+      default:
+        return SECFailure;
+    }
+}
+}
+
 void SslSocket::finishConnect(const SocketAddress& addr) const
 {
     nssSocket = SSL_ImportFD(0, PR_ImportTCPSocket(fd));
@@ -150,6 +168,9 @@ void SslSocket::finishConnect(const Sock
     NSS_CHECK(SSL_GetClientAuthDataHook(nssSocket, NSS_GetClientAuthData, 
arg));
 
     url = addr.getHost();
+    if (!hostnameVerification) {
+        NSS_CHECK(SSL_BadCertHook(nssSocket, bad_certificate, 
const_cast<char*>(url.data())));
+    }
     NSS_CHECK(SSL_SetURL(nssSocket, url.data()));
 
     NSS_CHECK(SSL_ResetHandshake(nssSocket, PR_FALSE));

Modified: qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.h
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.h?rev=1605127&r1=1605126&r2=1605127&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/sys/ssl/SslSocket.h Tue Jun 24 16:15:34 2014
@@ -45,6 +45,9 @@ public:
      */
     SslSocket(const std::string& certName = "", bool clientAuth = false);
 
+    /** Proceed with connect inspite of hostname verifcation failures*/
+    void ignoreHostnameVerificationFailure();
+
     /** Set socket non blocking */
     void setNonblocking() const;
 
@@ -92,6 +95,7 @@ protected:
      * in accept to pass through to newly created socket instances.
      */
     mutable PRFileDesc* prototype;
+    bool hostnameVerification;
 
     SslSocket(int fd, PRFileDesc* model);
     friend class SslMuxSocket; // Needed for this constructor



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1605127 - in /qpid/trunk/qpid/cpp/src/qpid: client/ client/amqp0_10/ messaging/ messaging/amqp/ sys/ssl/

Reply via email to