/* Test various SSL connections between proactors*/
static void test_ssl(test_t *t) {
if (!pn_ssl_present()) {
TEST_LOGF(t, "Skip SSL test, no support");
return;
}
test_proactor_t tps[] ={ test_proactor(t, ssl_client_handler), test_proactor(t, ssl_server_handler) };
test_proactor_t *client = &tps[0], *server = &tps[1];
pn_ssl_domain_t *cd = client->handler.ssl_domain = pn_ssl_domain(PN_SSL_MODE_CLIENT);
pn_ssl_domain_t *sd = server->handler.ssl_domain = pn_ssl_domain(PN_SSL_MODE_SERVER);
TEST_CHECK(t, 0 == SET_CREDENTIALS(sd, "tserver"));
pn_listener_t *l = test_listen(server, "");
/* Basic SSL connection */
pn_proactor_connect2(client->proactor, NULL, NULL, listener_info(l).connect);
/* Open ok at both ends */
TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps));
TEST_COND_EMPTY(t, last_condition);
TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps));
TEST_COND_EMPTY(t, last_condition);
TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED);
TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED);
/* Verify peer with good hostname */
TEST_INT_EQUAL(t, 0, pn_ssl_domain_set_trusted_ca_db(cd, CERTIFICATE("tserver")));
TEST_INT_EQUAL(t, 0, pn_ssl_domain_set_peer_authentication(cd, PN_SSL_VERIFY_PEER_NAME, NULL));
pn_connection_t *c = pn_connection();
pn_connection_set_hostname(c, "test_server");
pn_proactor_connect2(client->proactor, c, NULL, listener_info(l).connect);
TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps));
TEST_COND_EMPTY(t, last_condition);
TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps));
TEST_COND_EMPTY(t, last_condition);
TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED);
TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED);
/* Verify peer with bad hostname */
c = pn_connection();
pn_connection_set_hostname(c, "wrongname");
pn_proactor_connect2(client->proactor, c, NULL, listener_info(l).connect);
TEST_ETYPE_EQUAL(t, PN_TRANSPORT_CLOSED, TEST_PROACTORS_RUN(tps));
TEST_COND_NAME(t, "amqp:connection:framing-error", last_condition);
TEST_COND_DESC(t, "SSL", last_condition);
TEST_PROACTORS_DRAIN(tps);
pn_ssl_domain_free(cd);
pn_ssl_domain_free(sd);
TEST_PROACTORS_DESTROY(tps);
}
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity, bool is_listener)
{
qd_error_clear();
bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK();
bool verifyHostName = qd_entity_opt_bool(entity, "verifyHostName", true); CHECK();
bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK();
bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK();
memset(config, 0, sizeof(*config));
config->log_message = qd_entity_opt_string(entity, "logMessage", 0); CHECK();
config->log_bits = populate_log_message(config);
config->port = qd_entity_get_string(entity, "port"); CHECK();
config->name = qd_entity_opt_string(entity, "name", 0); CHECK();
config->role = qd_entity_get_string(entity, "role"); CHECK();
config->inter_router_cost = qd_entity_opt_long(entity, "cost", 1); CHECK();
config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK();
config->http = qd_entity_opt_bool(entity, "http", false); CHECK();
config->http_root = qd_entity_opt_string(entity, "httpRoot", false); CHECK();
config->http = config->http || config->http_root; /* httpRoot implies http */
config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK();
config->max_sessions = qd_entity_get_long(entity, "maxSessions"); CHECK();
uint64_t ssn_frames = qd_entity_opt_long(entity, "maxSessionFrames", 0); CHECK();
config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK();
if (is_listener) {
config->initial_handshake_timeout_seconds = qd_entity_get_long(entity, "initialHandshakeTimeoutSeconds"); CHECK();
}
config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK();
config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK();
config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK();
config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK();
config->sasl_plugin = qd_entity_opt_string(entity, "saslPlugin", 0); CHECK();
config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK();
config->multi_tenant = qd_entity_opt_bool(entity, "multiTenant", false); CHECK();
set_config_host(config, entity);
//
// Handle the defaults for various settings
//
if (config->link_capacity == 0)
config->link_capacity = 250;
if (config->max_sessions == 0 || config->max_sessions > 32768)
// Proton disallows > 32768
config->max_sessions = 32768;
if (config->max_frame_size < QD_AMQP_MIN_MAX_FRAME_SIZE)
// Silently promote the minimum max-frame-size
// Proton will do this but the number is needed for the
// incoming capacity calculation.
config->max_frame_size = QD_AMQP_MIN_MAX_FRAME_SIZE;
//
// Given session frame count and max frame size compute session incoming_capacity
//
if (ssn_frames == 0)
config->incoming_capacity = (sizeof(size_t) < 8) ? 0x7FFFFFFFLL : 0x7FFFFFFFLL * config->max_frame_size;
else {
uint64_t mfs = (uint64_t) config->max_frame_size;
uint64_t trial_ic = ssn_frames * mfs;
uint64_t limit = (sizeof(size_t) < 8) ? (1ll << 31) - 1 : 0;
if (limit == 0 || trial_ic < limit) {
// Silently promote incoming capacity of zero to one
config->incoming_capacity =
(trial_ic < QD_AMQP_MIN_MAX_FRAME_SIZE ? QD_AMQP_MIN_MAX_FRAME_SIZE : trial_ic);
} else {
config->incoming_capacity = limit;
uint64_t computed_ssn_frames = limit / mfs;
qd_log(qd->connection_manager->log_source, QD_LOG_WARNING,
"Server configuation for I/O adapter entity name:'%s', host:'%s', port:'%s', "
"requested maxSessionFrames truncated from %"PRId64" to %"PRId64,
config->name, config->host, config->port, ssn_frames, computed_ssn_frames);
}
}
//
// For now we are hardwiring this attribute to true. If there's an outcry from the
// user community, we can revisit this later.
//
config->allowInsecureAuthentication = true;
config->verify_host_name = verifyHostName;
char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0);
load_strip_annotations(config, stripAnnotations);
free(stripAnnotations);
stripAnnotations = 0;
CHECK();
config->requireAuthentication = authenticatePeer;
config->requireEncryption = requireEncryption || requireSsl;
if (config->ssl_profile) {
config->ssl_required = requireSsl;
config->ssl_require_peer_authentication = config->sasl_mechanisms &&
strstr(config->sasl_mechanisms, "EXTERNAL") != 0;
qd_config_ssl_profile_t *ssl_profile =
qd_find_ssl_profile(qd->connection_manager, config->ssl_profile);
if (ssl_profile) {
config->ssl_certificate_file = SSTRDUP(ssl_profile->ssl_certificate_file);
config->ssl_private_key_file = SSTRDUP(ssl_profile->ssl_private_key_file);
config->ciphers = SSTRDUP(ssl_profile->ciphers);
config->ssl_password = SSTRDUP(ssl_profile->ssl_password);
config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db);
config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates);
config->ssl_uid_format = SSTRDUP(ssl_profile->ssl_uid_format);
config->ssl_display_name_file = SSTRDUP(ssl_profile->ssl_display_name_file);
}
}
if (config->sasl_plugin) {
qd_config_sasl_plugin_t *sasl_plugin =
qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin);
if (sasl_plugin) {
config->auth_service = SSTRDUP(sasl_plugin->auth_service);
config->sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname);
qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->auth_service, config->sasl_plugin);
if (sasl_plugin->auth_ssl_profile) {
qd_config_ssl_profile_t *auth_ssl_profile =
qd_find_ssl_profile(qd->connection_manager, sasl_plugin->auth_ssl_profile);
config->auth_ssl_conf = pn_ssl_domain(PN_SSL_MODE_CLIENT);
if (auth_ssl_profile->ssl_certificate_file) {
if (pn_ssl_domain_set_credentials(config->auth_ssl_conf,
auth_ssl_profile->ssl_certificate_file,
auth_ssl_profile->ssl_private_key_file,
auth_ssl_profile->ssl_password)) {
qd_error(QD_ERROR_RUNTIME, "Cannot set SSL credentials for authentication service"); CHECK();
}
}
if (auth_ssl_profile->ssl_trusted_certificate_db) {
if (pn_ssl_domain_set_trusted_ca_db(config->auth_ssl_conf, auth_ssl_profile->ssl_trusted_certificate_db)) {
qd_error(QD_ERROR_RUNTIME, "Cannot set trusted SSL certificate db for authentication service" ); CHECK();
} else {
if (pn_ssl_domain_set_peer_authentication(config->auth_ssl_conf, PN_SSL_VERIFY_PEER, auth_ssl_profile->ssl_trusted_certificate_db)) {
qd_error(QD_ERROR_RUNTIME, "Cannot set SSL peer verification for authentication service"); CHECK();
}
}
}
if (auth_ssl_profile->ciphers) {
if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ciphers)) {
return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate");
}
}
}
} else {
qd_error(QD_ERROR_RUNTIME, "Cannot find sasl plugin %s", config->sasl_plugin); CHECK();
}
}
return QD_ERROR_NONE;
error:
qd_server_config_free(config);
return qd_error_code();
}
