Hi Mattias, apologies for this, I'll make a fix along the lines you suggested and apply it to trunk this evening. Thank you for spending the time to investigate the issue and suggest the solution - much appreciated!
-- Rob On 29 January 2015 at 16:52, MattiasÖ <[email protected]> wrote: > Hi! > > I have searched the archives for information on the following issue but > have > not found any. Please point me in the right direction if there is any :) > > I'm trying to achieve a connection towards a broker that only accepts AMQP > 1.0 over a TLS 1.2 connection. > In order to do this, I'm using the qpid-amqp-1-0-client-jms lib. However as > far as I can see, this does not seem doable. > > I would like to know if this: > a) Is doable by some configuration of the lib that I haven't found? > b) Is a feature that is in the pipe to do, or can it be requested? > c) Is something that I could/should code a patch for and send in for a > review? > > Here are my technical findings on the issue: > > 1) I'm creating a Connection via > org.apache.qpid.amqp_1_0.jms.impl.ConnectionFactoryImpl > 2) ConnectionFactoryImpl uses org.apache.qpid.amqp_1_0.client.SSLUtil to > create a SSLContext using provided truststore, keystore etc.. > 3) SSLUtil initiates a SSLContext with a hardcoded String: > TRANSPORT_LAYER_SECURITY_CODE = "TLS" > 4) In Oracle JDK 7, the file "<jdk installation > path>\jre\lib\security\java.security" register > com.sun.net.ssl.internal.ssl.Provider, an extension of > sun.security.ssl.SunJSSE, as the default JSSE provider. This class is, in > turn, configures that sun.security.ssl.SSLContextImpl$TLS10Context should > be > used as SSLContext for the alias "TLS". > 5) TLS10Context is only registering TLSv1 and SSLv3 as the default > protocols > to use. > 6) This means that when org.apache.qpid.amqp_1_0.client.TCPTransportProvier > (which btw lacks a "d" in the name) is creating the underlying connection > between the qpid client and the broker, the SSLSocket only gets enabled > with > "TLSv1" and "SSLv3". > > I've tried to change TRANSPORT_LAYER_SECURITY_CODE to "TLSv1.2" and > recompile the qpid-amqp-1-0-client-jms lib and use this recompiled version > instead. This was working successfully and gave me a connection that can > connect to a broker configured with any of the following protocols > ["SSLv3", > "TLSv1", "TLSv1.1", "TLSv1.2"]. > My next test is to once again use "TLS" in SSLUtil, but instead provide > ConnectionFactoryImpl with a list of protocols that I want to be enabled. > These will then be sent downwards through the stack to the > TCPTransportProvier that can apply these directly to the SSLSocket per > connection. > > All in all, can anyone involved tell me which of a, b or c above, is > correct > or should be done? > > Best regards, > Mattias > > > > -- > View this message in context: > http://qpid.2158936.n2.nabble.com/qpid-amqp-1-0-client-jms-and-TLS-1-2-tp7619126.html > Sent from the Apache Qpid users mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
