[jira] [Updated] (AMQ-3785) ActiveMQSslConnectionFactory does not detect ssl request in failover URIs when creating transports

Fri, 13 Apr 2012 15:25:43 -0700 

     [ 
https://issues.apache.org/jira/browse/AMQ-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Timothy Bish updated AMQ-3785:
------------------------------

    Fix Version/s:     (was: 5.5.1)
                   5.x

Should provide unit tests and patch
                
> ActiveMQSslConnectionFactory does not detect ssl request in failover URIs 
> when creating transports
> --------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-3785
>                 URL: https://issues.apache.org/jira/browse/AMQ-3785
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Transport
>    Affects Versions: 5.5.0
>         Environment: Looks global from SVN source but I detected with JDK 
> 1.6.0_31 on Redhat Linux client using AMQ 5.5.0
>            Reporter: Jack Fitch
>             Fix For: 5.x
>
>
> The createTransport method in ActiveMQSslConnectionFactory delegates to the 
> super class if the URI scheme 
> is not ssl. Failover URIs have 'failover' as the URI scheme and so always 
> delegate to the superclass. This causes
> ssl connections that need key or trust stores manipulated by code to hang or 
> fail  as the credentials are not available. 
> Code from  SVN trunk for ActiveMQSslConnectionFactory shows why
>  protected Transport createTransport() throws JMSException {
>         // If the given URI is non-ssl, let superclass handle it.
>         if (!brokerURL.getScheme().equals("ssl")) {
>             return super.createTransport();
>         }
> // !! jackf comment Code below never reached for failover URIs like 
> failover:ssl:... or failover:(tcp:..., ssl...)
> // because the URI Scheme is failover, not ssl.
> // Therefore connections that need a keyManager or trustManager fail
>         try {
>             if (keyManager == null || trustManager == null) {
>                 trustManager = createTrustManager();
>                 keyManager = createKeyManager();
>                 // secureRandom can be left as null
>             }
>             SslTransportFactory sslFactory = new SslTransportFactory();
>             SslContext ctx = new SslContext(keyManager, trustManager, 
> secureRandom);
>             SslContext.setCurrentSslContext(ctx);
>             return sslFactory.doConnect(brokerURL);
>         } catch (Exception e) {
>             throw JMSExceptionSupport.create("Could not create Transport. 
> Reason: " + e, e);
>         }
>     }
>  
> (Vague) Solution: 1) need better pattern match than URI scheme to detect 
> requests for ssl connections. 2) A failover URI is  essentially a list of 
> URIs so multiple ssl transport requests may be in the failover list. A first 
> start is to require that the same key and trust stores are used for all 
> failover connections but you may want to consider allowing customized stores 
> for each of the ssl connections.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to