Hi! I have searched the archives for information on the following issue but have not found any. Please point me in the right direction if there is any :)
I'm trying to achieve a connection towards a broker that only accepts AMQP 1.0 over a TLS 1.2 connection. In order to do this, I'm using the qpid-amqp-1-0-client-jms lib. However as far as I can see, this does not seem doable. I would like to know if this: a) Is doable by some configuration of the lib that I haven't found? b) Is a feature that is in the pipe to do, or can it be requested? c) Is something that I could/should code a patch for and send in for a review? Here are my technical findings on the issue: 1) I'm creating a Connection via org.apache.qpid.amqp_1_0.jms.impl.ConnectionFactoryImpl 2) ConnectionFactoryImpl uses org.apache.qpid.amqp_1_0.client.SSLUtil to create a SSLContext using provided truststore, keystore etc.. 3) SSLUtil initiates a SSLContext with a hardcoded String: TRANSPORT_LAYER_SECURITY_CODE = "TLS" 4) In Oracle JDK 7, the file "<jdk installation path>\jre\lib\security\java.security" register com.sun.net.ssl.internal.ssl.Provider, an extension of sun.security.ssl.SunJSSE, as the default JSSE provider. This class is, in turn, configures that sun.security.ssl.SSLContextImpl$TLS10Context should be used as SSLContext for the alias "TLS". 5) TLS10Context is only registering TLSv1 and SSLv3 as the default protocols to use. 6) This means that when org.apache.qpid.amqp_1_0.client.TCPTransportProvier (which btw lacks a "d" in the name) is creating the underlying connection between the qpid client and the broker, the SSLSocket only gets enabled with "TLSv1" and "SSLv3". I've tried to change TRANSPORT_LAYER_SECURITY_CODE to "TLSv1.2" and recompile the qpid-amqp-1-0-client-jms lib and use this recompiled version instead. This was working successfully and gave me a connection that can connect to a broker configured with any of the following protocols ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]. My next test is to once again use "TLS" in SSLUtil, but instead provide ConnectionFactoryImpl with a list of protocols that I want to be enabled. These will then be sent downwards through the stack to the TCPTransportProvier that can apply these directly to the SSLSocket per connection. All in all, can anyone involved tell me which of a, b or c above, is correct or should be done? Best regards, Mattias -- View this message in context: http://qpid.2158936.n2.nabble.com/qpid-amqp-1-0-client-jms-and-TLS-1-2-tp7619126.html Sent from the Apache Qpid users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
