Add support for hostname verification

Author: cshannon

activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AmqpTestSupport.java

@@ -185,7 +185,7 @@ protected void addTranportConnectors() throws Exception {
         }
         if (isUseSslConnector()) {
             connector = brokerService.addConnector(
-                "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+                "amqp+ssl://0.0.0.0:" + amqpSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
             amqpSslPort = connector.getConnectUri().getPort();
             amqpSslURI = connector.getPublishableConnectURI();
             LOG.debug("Using amqp+ssl port " + amqpSslPort);
@@ -199,7 +199,7 @@ protected void addTranportConnectors() throws Exception {
         }
         if (isUseNioPlusSslConnector()) {
             connector = brokerService.addConnector(
-                "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
+                "amqp+nio+ssl://0.0.0.0:" + amqpNioPlusSslPort + "?transport.verifyHostName=false&transport.tcpNoDelay=true&transport.transformer=" + getAmqpTransformer() + getAdditionalConfig());
             amqpNioPlusSslPort = connector.getConnectUri().getPort();
             amqpNioPlusSslURI = connector.getPublishableConnectURI();
             LOG.debug("Using amqp+nio+ssl port " + amqpNioPlusSslPort);

activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/auto/JMSClientAutoSslAuthTest.java

@@ -79,7 +79,7 @@ protected URI getBrokerURI() {
 
     @Override
     protected String getAdditionalConfig() {
-        return "?transport.needClientAuth=true";
+        return "?transport.needClientAuth=true&transport.verifyHostName=false";
     }
 
 

activemq-broker/src/main/java/org/apache/activemq/transport/nio/AutoInitNioSSLTransport.java

@@ -30,6 +30,7 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLParameters;
 
 import org.apache.activemq.thread.TaskRunnerFactory;
 import org.apache.activemq.util.IOExceptionSupport;
@@ -89,6 +90,12 @@ protected void initializeStreams() throws IOException {
                 sslEngine = sslContext.createSSLEngine();
             }
 
+            if (verifyHostName) {
+                SSLParameters sslParams = new SSLParameters();
+                sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+                sslEngine.setSSLParameters(sslParams);
+            }
+
             sslEngine.setUseClientMode(false);
             if (enabledCipherSuites != null) {
                 sslEngine.setEnabledCipherSuites(enabledCipherSuites);

activemq-client/src/main/java/org/apache/activemq/transport/nio/NIOSSLTransport.java

@@ -36,6 +36,7 @@
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 
@@ -56,6 +57,7 @@ public class NIOSSLTransport extends NIOTransport {
     protected boolean wantClientAuth;
     protected String[] enabledCipherSuites;
     protected String[] enabledProtocols;
+    protected boolean verifyHostName = true;
 
     protected SSLContext sslContext;
     protected SSLEngine sslEngine;
@@ -119,6 +121,12 @@ protected void initializeStreams() throws IOException {
                     sslEngine = sslContext.createSSLEngine();
                 }
 
+                if (verifyHostName) {
+                    SSLParameters sslParams = new SSLParameters();
+                    sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+                    sslEngine.setSSLParameters(sslParams);
+                }
+
                 sslEngine.setUseClientMode(false);
                 if (enabledCipherSuites != null) {
                     sslEngine.setEnabledCipherSuites(enabledCipherSuites);
@@ -543,4 +551,12 @@ public String[] getEnabledProtocols() {
     public void setEnabledProtocols(String[] enabledProtocols) {
         this.enabledProtocols = enabledProtocols;
     }
+
+    public boolean isVerifyHostName() {
+        return verifyHostName;
+    }
+
+    public void setVerifyHostName(boolean verifyHostName) {
+        this.verifyHostName = verifyHostName;
+    }
 }

activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransport.java

@@ -17,11 +17,14 @@
 package org.apache.activemq.transport.tcp;
 
 import java.io.IOException;
+import java.net.Socket;
+import java.net.SocketException;
 import java.net.URI;
 import java.net.UnknownHostException;
 import java.security.cert.X509Certificate;
 import java.util.HashMap;
 
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
@@ -43,6 +46,8 @@
  */
 public class SslTransport extends TcpTransport {
 
+    private Boolean verifyHostName = null;
+
     /**
      * Connect to a remote node such as a Broker.
      *
@@ -73,6 +78,37 @@ public SslTransport(WireFormat wireFormat, SSLSocketFactory socketFactory, URI r
         }
     }
 
+    @Override
+    protected void initialiseSocket(Socket sock) throws SocketException, IllegalArgumentException {
+        //This needs to default to null because this transport class is used for both a server transport
+        //and a client connection and if we default it to a value it might override the transport server setting
+        //that was configured inside TcpTransportServer
+
+        //The idea here is that if this is a server transport then verifyHostName will be set by the setter
+        //below and not be null (if using transport.verifyHostName) but if a client uses socket.verifyHostName
+        //then it will be null and we can check socketOptions
+
+        //Unfortunately we have to do this to stay consistent because every other SSL option on the client
+        //side is configured using socket. but this particular option isn't actually part of the socket
+        //so it makes it tricky
+        if (verifyHostName == null) {
+            if (socketOptions != null && socketOptions.containsKey("verifyHostName")) {
+                verifyHostName = Boolean.parseBoolean(socketOptions.get("verifyHostName").toString());
+                socketOptions.remove("verifyHostName");
+            } else {
+                verifyHostName = true;
+            }
+        }
+
+        if (verifyHostName) {
+            SSLParameters sslParams = new SSLParameters();
+            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+            ((SSLSocket)this.socket).setSSLParameters(sslParams);
+        }
+
+        super.initialiseSocket(sock);
+    }
+
     /**
      * Initialize from a ServerSocket. No access to needClientAuth is given
      * since it is already set within the provided socket.
@@ -108,6 +144,10 @@ public void doConsume(Object command) {
         super.doConsume(command);
     }
 
+    public void setVerifyHostName(Boolean verifyHostName) {
+        this.verifyHostName = verifyHostName;
+    }
+
     /**
      * @return peer certificate chain associated with the ssl socket
      */

activemq-client/src/main/java/org/apache/activemq/transport/tcp/SslTransportServer.java

@@ -100,6 +100,7 @@ public void setWantClientAuth(boolean wantAuth) {
      *
      * @throws IOException passed up from TcpTransportServer.
      */
+    @Override
     public void bind() throws IOException {
         super.bind();
         if (needClientAuth) {
@@ -119,6 +120,7 @@ public void bind() throws IOException {
      * @return The newly return (SSL) Transport.
      * @throws IOException
      */
+    @Override
     protected Transport createTransport(Socket socket, WireFormat format) throws IOException {
         return new SslTransport(format, (SSLSocket)socket);
     }

activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransport.java

@@ -133,7 +133,7 @@ public class TcpTransport extends TransportThreadSupport implements Transport, S
     protected final AtomicReference<CountDownLatch> stoppedLatch = new AtomicReference<CountDownLatch>();
     protected volatile int receiveCounter;
 
-    private Map<String, Object> socketOptions;
+    protected Map<String, Object> socketOptions;
     private int soLinger = Integer.MIN_VALUE;
     private Boolean keepAlive;
     private Boolean tcpNoDelay;
@@ -751,6 +751,7 @@ private boolean setTrafficClass(Socket sock) throws SocketException,
         return true;
     }
 
+    @Override
     public WireFormat getWireFormat() {
         return wireFormat;
     }

activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java

@@ -40,6 +40,7 @@
 import java.util.concurrent.atomic.AtomicInteger;
 
 import javax.net.ServerSocketFactory;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLServerSocket;
 
 import org.apache.activemq.Service;
@@ -79,6 +80,7 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
     protected int minmumWireFormatVersion;
     protected boolean useQueueForAccept = true;
     protected boolean allowLinkStealing;
+    protected boolean verifyHostName = true;
 
     /**
      * trace=true -> the Transport stack where this TcpTransport object will be, will have a TransportLogger layer
@@ -172,6 +174,16 @@ private void configureServerSocket(ServerSocket socket) throws SocketException {
             //  see: https://issues.apache.org/jira/browse/AMQ-4582
             //
             if (socket instanceof SSLServerSocket) {
+                if (transportOptions.containsKey("verifyHostName")) {
+                    verifyHostName = Boolean.parseBoolean(transportOptions.get("verifyHostName").toString());
+                }
+
+                if (verifyHostName) {
+                    SSLParameters sslParams = new SSLParameters();
+                    sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+                    ((SSLServerSocket)this.serverSocket).setSSLParameters(sslParams);
+                }
+
                 if (transportOptions.containsKey("enabledCipherSuites")) {
                     Object cipherSuites = transportOptions.remove("enabledCipherSuites");
 
@@ -180,6 +192,7 @@ private void configureServerSocket(ServerSocket socket) throws SocketException {
                             "Invalid transport options {enabledCipherSuites=%s}", cipherSuites));
                     }
                 }
+
             }
 
             //AMQ-6599 - don't strip out set properties on the socket as we need to set them

activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/auto/MQTTAutoSslAuthTest.java

@@ -55,7 +55,7 @@ public static Collection<Object[]> data() {
      */
     public MQTTAutoSslAuthTest(String protocol) {
         this.protocol = protocol;
-        protocolConfig = "transport.needClientAuth=true";
+        protocolConfig = "transport.needClientAuth=true&transport.verifyHostName=false&";
     }
 
     @Override

activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompSslAuthTest.java

@@ -54,13 +54,13 @@ protected Socket createSocket() throws IOException {
 
     @Override
     public void addOpenWireConnector() throws Exception {
-        TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?needClientAuth=true");
-        cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString());
+        TransportConnector connector = brokerService.addConnector("ssl://0.0.0.0:0?transport.needClientAuth=true&transport.verifyHostName=false");
+        cf = new ActiveMQConnectionFactory(connector.getPublishableConnectString() + "?socket.verifyHostName=false");
     }
 
     @Override
     protected String getAdditionalConfig() {
-        return "?needClientAuth=true";
+        return "?needClientAuth=true&transport.verifyHostName=false";
     }
 
     // NOOP - These operations handled by jaas cert login module

activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/auto/StompAutoSslAuthTest.java

@@ -102,7 +102,7 @@ protected Socket createSocket() throws IOException {
 
     @Override
     protected String getAdditionalConfig() {
-        return "?transport.needClientAuth=true";
+        return "?transport.needClientAuth=true&transport.verifyHostName=false";
     }
 
     @Override

activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4126Test.java

@@ -121,7 +121,7 @@ public void testStompNIOSSLWithCertificate() throws Exception {
 
     public void openwireConnectTo(String connectorName, String username, String password) throws Exception {
         URI brokerURI = broker.getConnectorByName(connectorName).getConnectUri();
-        String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort();
+        String uri = "ssl://" + brokerURI.getHost() + ":" + brokerURI.getPort() + "?socket.verifyHostName=false";
         ActiveMQSslConnectionFactory cf = new ActiveMQSslConnectionFactory(uri);
         cf.setTrustStore("org/apache/activemq/security/broker1.ks");
         cf.setTrustStorePassword("password");

activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ6599Test.java

@@ -71,7 +71,7 @@ public void before() throws Exception {
         brokerService.setPersistent(false);
 
         TransportConnector connector = brokerService.addConnector(protocol +
-                "://localhost:0?transport.soTimeout=3500");
+                "://localhost:0?transport.soTimeout=3500&transport.verifyHostName=false");
         connector.setName("connector");
         uri = connector.getPublishableConnectString();
 

activemq-unit-tests/src/test/java/org/apache/activemq/network/NetworkReconnectSslNioTest.java

@@ -47,14 +47,14 @@ public void testForceReconnect() throws Exception {
         remote.setSslContext(sslContext);
         remote.setUseJmx(false);
         remote.setPersistent(false);
-        final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0");
+        final TransportConnector transportConnector = remote.addConnector("nio+ssl://0.0.0.0:0?transport.verifyHostName=false");
         remote.start();
 
         BrokerService local = new BrokerService();
         local.setSslContext(sslContext);
         local.setUseJmx(false);
         local.setPersistent(false);
-        final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + ")?useExponentialBackOff=false&initialReconnectDelay=10");
+        final NetworkConnector networkConnector = local.addNetworkConnector("static:(" + remote.getTransportConnectorByScheme("nio+ssl").getPublishableConnectString().replace("nio+ssl", "ssl") + "?socket.verifyHostName=false" + ")?useExponentialBackOff=false&initialReconnectDelay=10");
         local.start();
 
         assertTrue("Bridge created", Wait.waitFor(new Wait.Condition() {

activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoSslAuthTest.java

@@ -75,7 +75,7 @@ public void before() throws Exception {
         BrokerService brokerService = new BrokerService();
         brokerService.setPersistent(false);
 
-        TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true");
+        TransportConnector connector = brokerService.addConnector(protocol + "://localhost:0?transport.needClientAuth=true&transport.verifyHostName=false");
         connector.setName("auto");
         uri = connector.getPublishableConnectString();
 
@@ -126,7 +126,7 @@ public AutoSslAuthTest(String protocol) {
     @Test(timeout = 60000)
     public void testConnect() throws Exception {
         ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory();
-        factory.setBrokerURL(uri);
+        factory.setBrokerURL(uri + "?socket.verifyHostName=false");
 
         //Create 5 connections to make sure all are properly set
         for (int i = 0; i < 5; i++) {

activemq-unit-tests/src/test/java/org/apache/activemq/transport/auto/AutoTransportConnectionsTest.java

@@ -103,8 +103,14 @@ public void tearDown() throws Exception {
     }
 
     public void configureConnectorAndStart(String bindAddress) throws Exception {
+        if (bindAddress.contains("ssl")) {
+            bindAddress += bindAddress.contains("?") ? "&transport.verifyHostName=false" : "?transport.verifyHostName=false";
+        }
         connector = service.addConnector(bindAddress);
         connectionUri = connector.getPublishableConnectString();
+        if (connectionUri.contains("ssl")) {
+            connectionUri += connectionUri.contains("?") ? "&socket.verifyHostName=false" : "?socket.verifyHostName=false";
+        }
         service.start();
         service.waitUntilStarted();
     }