[
https://issues.apache.org/jira/browse/AMQ-5295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothy Bish resolved AMQ-5295.
-------------------------------
Resolution: Fixed
Patch applied, thanks.
> HTTPS Network Connector doesn't work with Mutual authentication-
> HTTPSClientTransport uses wrong SSLSocketFactory
> -----------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-5295
> URL: https://issues.apache.org/jira/browse/AMQ-5295
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.9.0
> Environment: JBoss Fuse 6.1
> Reporter: Piotr Klimczak
> Labels: SSL, TLS, mutualSSL
> Original Estimate: 16h
> Remaining Estimate: 16h
>
> HttpsClientTransport is getting wrong SSLSocketFactory.
> The problem is here:
> {code}
> private SchemeRegistry createSchemeRegistry() {
> SchemeRegistry schemeRegistry = new SchemeRegistry();
> try {
> // register the default socket factory so that it looks at the
> javax.net.ssl.keyStore,
> // javax.net.ssl.trustStore, etc, properties by default
> SSLSocketFactory sslSocketFactory =
> new SSLSocketFactory((javax.net.ssl.SSLSocketFactory)
> javax.net.ssl.SSLSocketFactory.getDefault(),
> SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
> schemeRegistry.register(new Scheme("https",
> getRemoteUrl().getPort(), sslSocketFactory));
> return schemeRegistry;
> } catch (Exception e) {
> throw new IllegalStateException("Failure trying to create scheme
> registry", e);
> }
> }
> {code}
> The problem with that code is, that it never take SSLSocketFactory from
> spring context. So the one defined in XML is ignored.
> So it's code have to be replaced with:
> {code}
> private SchemeRegistry createSchemeRegistry() {
> SchemeRegistry schemeRegistry = new SchemeRegistry();
> try {
> // register the default socket factory so that it looks at the
> javax.net.ssl.keyStore,
> // javax.net.ssl.trustStore, etc, properties by default
> SSLSocketFactory sslSocketFactory = createSocketFactory();
> schemeRegistry.register(new Scheme("https",
> getRemoteUrl().getPort(), sslSocketFactory));
> return schemeRegistry;
> } catch (Exception e) {
> throw new IllegalStateException("Failure trying to create scheme
> registry", e);
> }
> }
> {code}
> And then new method should be added:
> {code}
> /**
> * Creates a new SSL SocketFactory. The given factory will use
> user-provided
> * key and trust managers (if the user provided them).
> *
> * @return Newly created (Ssl)SocketFactory.
> * @throws IOException
> */
> protected SocketFactory createSocketFactory() throws IOException {
> if (SslContext.getCurrentSslContext() != null) {
> SslContext ctx = SslContext.getCurrentSslContext();
> try {
> return ctx.getSSLContext().getSocketFactory();
> } catch (Exception e) {
> throw IOExceptionSupport.create(e);
> }
> } else {
> return SSLSocketFactory.getDefault();
> }
> }
> {code}
> This is consistent solution with other transports.
> I will prepare patches and tests for this scenerio.
> Greetings
> Piotr Klimczak
--
This message was sent by Atlassian JIRA
(v6.2#6252)
