diff options
| author | Keith Wall <kwall@apache.org> | 2014-12-10 17:17:24 +0000 |
|---|---|---|
| committer | Keith Wall <kwall@apache.org> | 2014-12-10 17:17:24 +0000 |
| commit | 5cce2b1fbd0d00486106d0cf9d734972f856ee6c (patch) | |
| tree | 424e55e01b0e18428c6246b90ec345ddafadf53a /qpid/java/common/src | |
| parent | 129a9e7cece9fe18e9cf1fddf9401e78db36c9cd (diff) | |
| download | qpid-python-5cce2b1fbd0d00486106d0cf9d734972f856ee6c.tar.gz | |
Reenable support for SSL and Plain on the same port (i.e. the transport sniffing). Reenable all TLS tests
git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/QPID-6262-JavaBrokerNIO@1644485 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/common/src')
3 files changed, 85 insertions, 13 deletions
diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java index 82a677b8f7..f8fd286f17 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/ServerDelegate.java @@ -126,8 +126,11 @@ public class ServerDelegate extends ConnectionDelegate protected void connectionAuthFailed(final Connection conn, Exception e) { - conn.exception(e); - conn.connectionClose(ConnectionCloseCode.CONNECTION_FORCED, e.getMessage()); + if (e != null) + { + conn.exception(e); + } + conn.connectionClose(ConnectionCloseCode.CONNECTION_FORCED, e == null ? "Authentication failed" : e.getMessage()); } protected void connectionAuthContinue(final Connection conn, byte[] challenge) diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingConnection.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingConnection.java index ec0d684506..e47e33f748 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingConnection.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingConnection.java @@ -110,17 +110,8 @@ public class NonBlockingConnection implements NetworkConnection { if(!_principalChecked) { - if(_socket.socket() instanceof SSLSocket) - { - try - { - _principal = ((SSLSocket) _socket.socket()).getSession().getPeerPrincipal(); - } - catch(SSLPeerUnverifiedException e) - { - _principal = null; - } - } + + _principal = _nonBlockingSenderReceiver.getPeerPrincipal(); _principalChecked = true; } diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingSenderReceiver.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingSenderReceiver.java index bf4719fe02..616390cf70 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingSenderReceiver.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/NonBlockingSenderReceiver.java @@ -24,6 +24,7 @@ import java.nio.ByteBuffer; import java.nio.channels.SelectionKey; import java.nio.channels.Selector; import java.nio.channels.SocketChannel; +import java.security.Principal; import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -35,6 +36,7 @@ import java.util.concurrent.atomic.AtomicBoolean; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; +import javax.net.ssl.SSLPeerUnverifiedException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -389,6 +391,38 @@ public class NonBlockingSenderReceiver implements Runnable, Sender<ByteBuffer> runSSLEngineTasks(_status); } } + else + { + int read = 1; + while (!_closed.get() && read > 0) + { + + read = _socketChannel.read(_netInputBuffer); + LOGGER.debug("Read " + read + " possibly encrypted bytes " + _netInputBuffer); + + if (_netInputBuffer.position() >= 6) + { + _netInputBuffer.flip(); + final byte[] headerBytes = new byte[6]; + ByteBuffer dup = _netInputBuffer.duplicate(); + dup.get(headerBytes); + + _transportEncryption = looksLikeSSL(headerBytes) ? TransportEncryption.TLS : TransportEncryption.NONE; + LOGGER.debug("Identified transport encryption as " + _transportEncryption); + + if (_transportEncryption == TransportEncryption.NONE) + { + _receiver.received(_netInputBuffer); + } + else + { + _netInputBuffer.compact(); + doRead(); + } + break; + } + } + } } private void runSSLEngineTasks(final SSLEngineResult status) @@ -403,4 +437,48 @@ public class NonBlockingSenderReceiver implements Runnable, Sender<ByteBuffer> } } } + + private boolean looksLikeSSL(byte[] headerBytes) + { + return looksLikeSSLv3ClientHello(headerBytes) || looksLikeSSLv2ClientHello(headerBytes); + } + + private boolean looksLikeSSLv3ClientHello(byte[] headerBytes) + { + return headerBytes[0] == 22 && // SSL Handshake + (headerBytes[1] == 3 && // SSL 3.0 / TLS 1.x + (headerBytes[2] == 0 || // SSL 3.0 + headerBytes[2] == 1 || // TLS 1.0 + headerBytes[2] == 2 || // TLS 1.1 + headerBytes[2] == 3)) && // TLS1.2 + (headerBytes[5] == 1); // client_hello + } + + private boolean looksLikeSSLv2ClientHello(byte[] headerBytes) + { + return headerBytes[0] == -128 && + headerBytes[3] == 3 && // SSL 3.0 / TLS 1.x + (headerBytes[4] == 0 || // SSL 3.0 + headerBytes[4] == 1 || // TLS 1.0 + headerBytes[4] == 2 || // TLS 1.1 + headerBytes[4] == 3); + } + + public Principal getPeerPrincipal() + { + + if (_sslEngine != null) + { + try + { + return _sslEngine.getSession().getPeerPrincipal(); + } + catch (SSLPeerUnverifiedException e) + { + return null; + } + } + + return null; + } } |