Merge pull request #399 from rabbitmq/rabbitmq-java-client-394-tls-hostname-verification-4.x.x

Backport hostname verification to 4.x.x

Author: michaelklishin

pom.xml

@@ -58,11 +58,13 @@
     <metrics.version>3.2.6</metrics.version>
     <micrometer.version>1.0.2</micrometer.version>
     <jackson.version>2.9.6</jackson.version>
+    <httpclient.version>4.5.6</httpclient.version>
     <logback.version>1.2.3</logback.version>
     <commons-cli.version>1.1</commons-cli.version>
     <junit.version>4.12</junit.version>
     <awaitility.version>3.1.0</awaitility.version>
     <mockito.version>2.16.0</mockito.version>
+    <bouncycastle.version>1.60</bouncycastle.version>
 
     <maven.javadoc.plugin.version>3.0.0</maven.javadoc.plugin.version>
     <maven.release.plugin.version>2.5.3</maven.release.plugin.version>
@@ -647,6 +649,12 @@
       <version>${jackson.version}</version>
       <optional>true</optional>
     </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>${httpclient.version}</version>
+      <optional>true</optional>
+    </dependency>
     <dependency>
       <groupId>commons-cli</groupId>
       <artifactId>commons-cli</artifactId>
@@ -683,6 +691,12 @@
       <version>1.3</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk15on</artifactId>
+      <version>${bouncycastle.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

src/main/java/com/rabbitmq/client/ConnectionContext.java

@@ -0,0 +1,74 @@
+// Copyright (c) 2018 Pivotal Software, Inc.  All rights reserved.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 1.1 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2.  For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// [email protected].
+
+package com.rabbitmq.client;
+
+import javax.net.ssl.SSLSession;
+import java.net.Socket;
+
+/**
+ * The context of the freshly open TCP connection.
+ *
+ * @see ConnectionPostProcessor
+ * @since 4.8.0
+ */
+public class ConnectionContext {
+
+    private final Socket socket;
+    private final Address address;
+    private final boolean ssl;
+    private final SSLSession sslSession;
+
+    public ConnectionContext(Socket socket, Address address, boolean ssl, SSLSession sslSession) {
+        this.socket = socket;
+        this.address = address;
+        this.ssl = ssl;
+        this.sslSession = sslSession;
+    }
+
+    /**
+     * The network socket. Can be an {@link javax.net.ssl.SSLSocket}.
+     *
+     * @return
+     */
+    public Socket getSocket() {
+        return socket;
+    }
+
+    /**
+     * The address (hostname and port) used for connecting.
+     *
+     * @return
+     */
+    public Address getAddress() {
+        return address;
+    }
+
+    /**
+     * Whether this is a SSL/TLS connection.
+     * @return
+     */
+    public boolean isSsl() {
+        return ssl;
+    }
+
+    /**
+     * The {@link SSLSession} for a TLS connection, <code>null</code> otherwise.
+     * @return
+     */
+    public SSLSession getSslSession() {
+        return sslSession;
+    }
+}

src/main/java/com/rabbitmq/client/ConnectionFactory.java

@@ -15,8 +15,6 @@
 
 package com.rabbitmq.client;
 
-import static java.util.concurrent.TimeUnit.*;
-
 import com.rabbitmq.client.impl.AMQConnection;
 import com.rabbitmq.client.impl.ConnectionParams;
 import com.rabbitmq.client.impl.CredentialsProvider;
@@ -31,7 +29,13 @@
 import com.rabbitmq.client.impl.recovery.AutorecoveringConnection;
 import com.rabbitmq.client.impl.recovery.RetryHandler;
 import com.rabbitmq.client.impl.recovery.TopologyRecoveryFilter;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
 
+import javax.net.SocketFactory;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -49,10 +53,8 @@
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.TimeoutException;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
+
+import static java.util.concurrent.TimeUnit.MINUTES;
 
 /**
  * Convenience "factory" class to facilitate opening a {@link Connection} to an AMQP broker.
@@ -126,7 +128,7 @@ public class ConnectionFactory implements Cloneable {
     // connections uses, see rabbitmq/rabbitmq-java-client#86
     private ExecutorService shutdownExecutor;
     private ScheduledExecutorService heartbeatExecutor;
-    private SocketConfigurator socketConf           = new DefaultSocketConfigurator();
+    private SocketConfigurator socketConf           = SocketConfigurators.defaultConfigurator();
     private ExceptionHandler exceptionHandler       = new DefaultExceptionHandler();
     private CredentialsProvider credentialsProvider = new DefaultCredentialsProvider(DEFAULT_USER, DEFAULT_PASS);
 
@@ -188,6 +190,19 @@ public class ConnectionFactory implements Cloneable {
      */
     private RetryHandler topologyRecoveryRetryHandler;
 
+    /**
+     * Hook to post-process the freshly open TCP connection.
+     *
+     * @since 4.8.0
+     */
+    private ConnectionPostProcessor connectionPostProcessor = new ConnectionPostProcessor() {
+
+        @Override
+        public void postProcess(ConnectionContext context) {
+
+        }
+    };
+
     /** @return the default host to use for connections */
     public String getHost() {
         return host;
@@ -679,12 +694,19 @@ public void useSslProtocol(String protocol)
      * Pass in the TLS protocol version to use, e.g. "TLSv1.2" or "TLSv1.1", and
      * a desired {@link TrustManager}.
      *
+     * Note <strong>you must explicitly enable hostname verification</strong> with the
+     * {@link ConnectionFactory#enableHostnameVerification()} or the
+     * {@link ConnectionFactory#enableHostnameVerification(HostnameVerifier)}
+     * method.
+     *
      *
      * The produced {@link SSLContext} instance will be shared with all
      * the connections created by this connection factory.
      * @param protocol the TLS protocol to use.
      * @param trustManager the {@link TrustManager} implementation to use.
      * @see #useSslProtocol(SSLContext)
+     * @see #enableHostnameVerification()
+     * @see #enableHostnameVerification(HostnameVerifier)
      */
     public void useSslProtocol(String protocol, TrustManager trustManager)
         throws NoSuchAlgorithmException, KeyManagementException
@@ -699,15 +721,108 @@ public void useSslProtocol(String protocol, TrustManager trustManager)
      * for setting up the context with a {@link TrustManager} with suitable security guarantees,
      * e.g. peer verification.
      *
+     * Note <strong>you must explicitly enable hostname verification</strong> with the
+     * {@link ConnectionFactory#enableHostnameVerification()} or the
+     * {@link ConnectionFactory#enableHostnameVerification(HostnameVerifier)}
+     * method.
+     *
      * The {@link SSLContext} instance will be shared with all
      * the connections created by this connection factory.
      * @param context An initialized SSLContext
+     * @see #enableHostnameVerification()
+     * @see #enableHostnameVerification(HostnameVerifier)
      */
     public void useSslProtocol(SSLContext context) {
         setSocketFactory(context.getSocketFactory());
         this.sslContext = context;
     }
 
+    /**
+     * Enable server hostname verification for TLS connections.
+     * <p>
+     * This enables hostname verification regardless of the IO mode
+     * used (blocking or non-blocking IO).
+     * <p>
+     * This can be called typically after setting the {@link SSLContext}
+     * with one of the <code>useSslProtocol</code> methods.
+     * <p>
+     * If <strong>using Java 7 or more</strong>, the hostname verification will be
+     * performed by Java, as part of the TLS handshake.
+     * <p>
+     * If <strong>using Java 6</strong>, the hostname verification will be handled after
+     * the TLS handshake, using the {@link HostnameVerifier} from the
+     * Commons HttpClient project. This requires to add Commons HttpClient
+     * and its dependencies to the classpath. To use a custom {@link HostnameVerifier},
+     * use {@link ConnectionFactory#enableHostnameVerification(HostnameVerifier)}.
+     *
+     * @see NioParams#enableHostnameVerification()
+     * @see NioParams#setSslEngineConfigurator(SslEngineConfigurator)
+     * @see SslEngineConfigurators#ENABLE_HOSTNAME_VERIFICATION
+     * @see SocketConfigurators#ENABLE_HOSTNAME_VERIFICATION
+     * @see ConnectionFactory#useSslProtocol(String)
+     * @see ConnectionFactory#useSslProtocol(SSLContext)
+     * @see ConnectionFactory#useSslProtocol()
+     * @see ConnectionFactory#useSslProtocol(String, TrustManager)
+     * @see ConnectionFactory#enableHostnameVerification(HostnameVerifier)
+     * @since 4.8.0
+     */
+    public void enableHostnameVerification() {
+        if (isJava6()) {
+            enableHostnameVerification(new DefaultHostnameVerifier());
+        } else {
+            enableHostnameVerificationForNio();
+            enableHostnameVerificationForBlockingIo();
+        }
+    }
+
+    /**
+     * Enable TLS hostname verification performed by the passed-in {@link HostnameVerifier}.
+     * <p>
+     * Using an {@link HostnameVerifier} is relevant only for Java 6, for Java 7 or more,
+     * calling ConnectionFactory{@link #enableHostnameVerification()} is enough.
+     *
+     * @param hostnameVerifier
+     * @since 4.8.0
+     * @see ConnectionFactory#enableHostnameVerification()
+     */
+    public void enableHostnameVerification(HostnameVerifier hostnameVerifier) {
+        if (this.connectionPostProcessor == null) {
+            this.connectionPostProcessor = ConnectionPostProcessors.builder()
+                .enableHostnameVerification(hostnameVerifier)
+                .build();
+        } else {
+            this.connectionPostProcessor = ConnectionPostProcessors.builder()
+                .add(this.connectionPostProcessor)
+                .enableHostnameVerification(hostnameVerifier)
+                .build();
+        }
+    }
+
+    protected boolean isJava6() {
+        return System.getProperty("java.specification.version").startsWith("1.6");
+    }
+
+    protected void enableHostnameVerificationForNio() {
+        if (this.nioParams == null) {
+            this.nioParams = new NioParams();
+        }
+        this.nioParams = this.nioParams.enableHostnameVerification();
+    }
+
+    protected void enableHostnameVerificationForBlockingIo() {
+        if (this.socketConf == null) {
+            this.socketConf = SocketConfigurators.builder()
+                .defaultConfigurator()
+                .enableHostnameVerification()
+                .build();
+        } else {
+            this.socketConf = SocketConfigurators.builder()
+                .add(this.socketConf)
+                .enableHostnameVerification()
+                .build();
+        }
+    }
+
     public static String computeDefaultTlsProcotol(String[] supportedProtocols) {
         if(supportedProtocols != null) {
             for (String supportedProtocol : supportedProtocols) {
@@ -791,11 +906,11 @@ protected synchronized FrameHandlerFactory createFrameHandlerFactory() throws IO
                 if(this.nioParams.getNioExecutor() == null && this.nioParams.getThreadFactory() == null) {
                     this.nioParams.setThreadFactory(getThreadFactory());
                 }
-                this.frameHandlerFactory = new SocketChannelFrameHandlerFactory(connectionTimeout, nioParams, isSSL(), sslContext);
+                this.frameHandlerFactory = new SocketChannelFrameHandlerFactory(connectionTimeout, nioParams, isSSL(), sslContext, connectionPostProcessor);
             }
             return this.frameHandlerFactory;
         } else {
-            return new SocketFrameHandlerFactory(connectionTimeout, factory, socketConf, isSSL(), this.shutdownExecutor);
+            return new SocketFrameHandlerFactory(connectionTimeout, factory, socketConf, isSSL(), this.shutdownExecutor, connectionPostProcessor);
         }
 
     }
@@ -1439,4 +1554,15 @@ public void setTopologyRecoveryFilter(TopologyRecoveryFilter topologyRecoveryFil
     public void setTopologyRecoveryRetryHandler(RetryHandler topologyRecoveryRetryHandler) {
         this.topologyRecoveryRetryHandler = topologyRecoveryRetryHandler;
     }
+
+    /**
+     * Hook to post-process the freshly open TCP connection.
+     *
+     * @param connectionPostProcessor
+     * @see #enableHostnameVerification()
+     * @see #enableHostnameVerification(HostnameVerifier)
+     */
+    public void setConnectionPostProcessor(ConnectionPostProcessor connectionPostProcessor) {
+        this.connectionPostProcessor = connectionPostProcessor;
+    }
 }

src/main/java/com/rabbitmq/client/ConnectionPostProcessor.java

@@ -0,0 +1,36 @@
+// Copyright (c) 2018 Pivotal Software, Inc.  All rights reserved.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 1.1 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2.  For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// [email protected].
+
+package com.rabbitmq.client;
+
+import java.io.IOException;
+
+/**
+ * Hook to add processing on the open TCP connection.
+ * <p>
+ * Used e.g. to add hostname verification on TLS connection.
+ *
+ * @since 4.8.0
+ */
+public interface ConnectionPostProcessor {
+
+    /**
+     * Post-process the open TCP connection.
+     *
+     * @param context some TCP connection context (e.g. socket)
+     * @throws IOException
+     */
+    void postProcess(ConnectionContext context) throws IOException;
+}