Hi Jeewantha,
I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder from
/transport/nhttp/config/ to /transport/http/config/ because those two
classed are common to both nhttp and passthru transports.
Here are the diff files of the two files that I edited.
I used an online tool to generate ServerConnFactoryBuilder.diff because I
did not committed the changes after I moved the file to http directory so
the format of the diff file may different.
thanks.
On Wed, Mar 19, 2014 at 8:57 PM, Jeewantha Dharmaparakrama <
[email protected]> wrote:
> [Adding @dev]
>
> Hi Sudheera,
>
> Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder from
> the source and added the changed classes again? Its difficult to see which
> lines have changed in the patch file.
> Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder from
> your local source, svn up again, and then do the changes in those files and
> create the patch file.
>
> Thanks,
> Jeewantha
>
>
> On Wed, Mar 19, 2014 at 3:00 AM, Sudheera Palihakkara
> <[email protected]>wrote:
>
>> Hi ayya,
>>
>> I have done some coding ServerSSLSetupHander.java and
>> ServerConnFactoryBuilder.java as they did in the backend side. I think the
>> logic is ok but it's hard to test since we don't have certificate chain
>> that signed by a CA. I used wso2carbon.jks for client and the request get
>> failed since both ocsp and crl verification get failed for wso2carbon.jks .
>> I have attached the diff file. Can you take a look.
>>
>>
>> thanks.
>>
>>
>> On Wed, Mar 19, 2014 at 11:43 AM, Sudheera Palihakkara <[email protected]
>> > wrote:
>>
>>> Hi ayya,
>>>
>>> In ServerConnFactoryBuilder.java file line 202
>>>
>>>
>>>
>>> * ServerSSLSetupHandler sslSetupHandler =
>>> (clientAuth != null || httpsProtocols !=
>>> null) ? new
>>> ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;*
>>>
>>> it seems like if SSLVerifyClient parameter not defined then
>>> *ServerSSLSetupHandler()* isn't get invoked. Do we need this
>>> "SSLVerifyClient" parameter set to "required" in order to verify ocsp and
>>> crl ?
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Mar 15, 2014 at 12:20 AM, Jeewantha Dharmaparakrama <
>>> [email protected]> wrote:
>>>
>>>> Hi Sudheera,
>>>>
>>>> You don't need SSL Profiles to talk to HTTPS backends. SSL profiles are
>>>> to define different SSL configurations (Trust stores, Keystores) to
>>>> different backends. And according to the logs, the connection is not made
>>>> to an HTTPS backend. Error occurs during SSL handshake.
>>>>
>>>> To make an HTTPS connection just host your service in some server
>>>> (doesnt matter which) and in the ESB define the endpoint to connect to the
>>>> https port with the correct HTTPS endpoint URL.
>>>>
>>>> However to test OCSP/CRL you cant use a carbon server which runs in
>>>> your local macine. The reason is, the certificates defined in the Carbon
>>>> Servers are fake (Self signed). That's why the web browser says "Untrusted
>>>> connection" when you try connect to the management console of a locally
>>>> running carbon server. And in those fake certificates, the CRL/OCSP urls
>>>> are not defined. So you cant test OCSP/CRL feature that way.
>>>>
>>>> So don't run the backend in your local machine. Instead, use some HTTPS
>>>> backend like https://www.facebook.com or if you need a webservice use
>>>> the echo service in Stratos Live[1] . Stratos live uses valid WSO2
>>>> certificates signed by Digicert, a valid CA which has its OCSP/CRL servers
>>>> running[2].
>>>>
>>>> [1] https://stratoslive.wso2.com/services/echo?wsdl
>>>> [2] http://www.digicert.com/
>>>>
>>>> If you have more questions please ask on @Dev to be more visible to the
>>>> public.
>>>>
>>>> Thanks,
>>>> Jeewantha
>>>>
>>>>
>>>> On Fri, Mar 14, 2014 at 2:09 AM, Sudheera Palihakkara <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi ayya.
>>>>>
>>>>> I'm trying to invoke the already implemented ocsp at the transport
>>>>> sender and get an idea about the flow. But I'm having some difficulties
>>>>> during the process. here's what I've done
>>>>>
>>>>> 1 . followed this
>>>>> [1<http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html>]
>>>>> document to create the SSL profiles. (used same axis2.xml with password as
>>>>> *wso2carbon* )
>>>>> 2. Started a separate DSS with clientAuth="true" in
>>>>> catalina-server.xml
>>>>> 3. created a proxy service in ESB to invoke *echo service* deployed
>>>>> at DSS with use of *https* in the endppoint.
>>>>>
>>>>> When I invoked the proxy service I'm getting this error
>>>>>
>>>>> *[2014-03-14 13:11:10,725] ERROR - TargetHandler I/O error:
>>>>> Unrecognized SSL message, plaintext connection?*
>>>>>
>>>>> Full error log[2 <http://pastebin.com/5VMK4cnT>].
>>>>>
>>>>> Can you help me out please. I there any other way to test this, I
>>>>> might need something similar for transport listener too. thank you
>>>>>
>>>>>
>>>>> [1]
>>>>> http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html
>>>>> [2] http://pastebin.com/5VMK4cnT
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Jeewantha Dharmaparakrama
>>>> Software Engineer; WSO2, Inc.; http://wso2.com/
>>>> Phone : (+94) 774726790
>>>> Skype : prasad.jeewantha
>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad
>>>> Twitter: https://twitter.com/jeewamp
>>>> Blog: http://jeewanthad.blogspot.com/
>>>>
>>>
>>>
>>
>
>
> --
> Jeewantha Dharmaparakrama
> Software Engineer; WSO2, Inc.; http://wso2.com/
> Phone : (+94) 774726790
> Skype : prasad.jeewantha
> LinkedIn : http://www.linkedin.com/in/jeewanthad
> Twitter: https://twitter.com/jeewamp
> Blog: http://jeewanthad.blogspot.com/
>
Index: http/conn/ServerSSLSetupHandler.java
===================================================================
--- http/conn/ServerSSLSetupHandler.java (revision 197356)
+++ http/conn/ServerSSLSetupHandler.java (working copy)
@@ -24,16 +24,23 @@
import org.apache.http.nio.reactor.IOSession;
import org.apache.http.nio.reactor.ssl.SSLSetupHandler;
+import
org.apache.synapse.transport.certificatevalidation.CertificateVerificationException;
+import
org.apache.synapse.transport.certificatevalidation.RevocationVerificationManager;
+import java.net.InetSocketAddress;
+import java.net.SocketAddress;
+
public class ServerSSLSetupHandler implements SSLSetupHandler {
private final SSLClientAuth clientAuth;
/** Enabled SSL handshake protocols (e.g. SSLv3, TLSv1) */
private final String[] httpsProtocols;
+ RevocationVerificationManager verificationManager;
- public ServerSSLSetupHandler(final SSLClientAuth clientAuth, final
String[] httpsProtocols) {
+ public ServerSSLSetupHandler(final SSLClientAuth clientAuth, final
String[] httpsProtocols, final RevocationVerificationManager
verificationManager) {
this.clientAuth = clientAuth;
this.httpsProtocols = httpsProtocols;
+ this.verificationManager=verificationManager;
}
public void initalize(
@@ -55,9 +62,23 @@
}
- public void verify(
- final IOSession iosession,
- final SSLSession sslsession) throws SSLException {
+ public void verify(IOSession iosession, SSLSession sslsession) throws
SSLException {
+ SocketAddress remoteAddress = iosession.getRemoteAddress();
+ String address;
+ if (remoteAddress instanceof InetSocketAddress) {
+ address = ((InetSocketAddress) remoteAddress).getHostName();
+ } else {
+ address = remoteAddress.toString();
+ }
+
+ if (verificationManager!=null) {
+ try {
+
verificationManager.verifyRevocationStatus(sslsession.getPeerCertificateChain());
+ } catch (CertificateVerificationException e) {
+ throw new SSLException("Certificate Chain Validation failed
for host : " + address, e);
+ }
+ }
}
+
}
\ No newline at end of file
20c20
< package org.apache.synapse.transport.nhttp.config;
---
> package org.apache.synapse.transport.http.config;
52a53
> import
> org.apache.synapse.transport.certificatevalidation.RevocationVerificationManager;
76,79c77,81
< final OMElement keyStoreEl,
< final OMElement trustStoreEl,
< final OMElement cientAuthEl,
< final OMElement httpsProtocolsEl) throws AxisFault {
---
> final OMElement keyStoreEl,
> final OMElement trustStoreEl,
> final OMElement cientAuthEl,
> final OMElement httpsProtocolsEl,
> final RevocationVerificationManager verificationManager) throws
> AxisFault {
204c206
< new
ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;
---
> new
> ServerSSLSetupHandler(clientAuth,httpsProtocols,verificationManager) : null;
221a224,241
>
> final Parameter cvp =
> transportIn.getParameter("CertificateRevocationVerifier");
> final String cvEnable = cvp != null ?
> cvp.getParameterElement().getAttribute(new
> QName("enable")).getAttributeValue() : null;
> RevocationVerificationManager revocationVerifier = null;
>
> if ("true".equalsIgnoreCase(cvEnable)) {
> String cacheSizeString =
> cvp.getParameterElement().getFirstChildWithName(new
> QName("CacheSize")).getText();
> String cacheDelayString =
> cvp.getParameterElement().getFirstChildWithName(new
> QName("CacheDelay")).getText();
> Integer cacheSize = null;
> Integer cacheDelay = null;
> try {
> cacheSize = new Integer(cacheSizeString);
> cacheDelay = new Integer(cacheDelayString);
> }
> catch (NumberFormatException e) {}
> revocationVerifier = new RevocationVerificationManager(cacheSize,
> cacheDelay);
> }
223c243
< ssl = createSSLContext(keyStoreEl, trustStoreEl, clientAuthEl,
httpsProtocolsEl);
---
> ssl = createSSLContext(keyStoreEl, trustStoreEl, clientAuthEl,
> httpsProtocolsEl, revocationVerifier);
250c270
< SSLContextDetails ssl = createSSLContext(keyStoreEl,
trustStoreEl, clientAuthEl,httpsProtocolsEl);
---
> SSLContextDetails ssl = createSSLContext(keyStoreEl,
> trustStoreEl, clientAuthEl,httpsProtocolsEl,null);
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
