/* Test various SSL connections between proactors*/ static void test_ssl(test_t *t) { if (!pn_ssl_present()) { TEST_LOGF(t, "Skip SSL test, no support"); return; } test_proactor_t tps[] ={ test_proactor(t, ssl_client_handler), test_proactor(t, ssl_server_handler) }; test_proactor_t *client = &tps[0], *server = &tps[1]; pn_ssl_domain_t *cd = client->handler.ssl_domain = pn_ssl_domain(PN_SSL_MODE_CLIENT); pn_ssl_domain_t *sd = server->handler.ssl_domain = pn_ssl_domain(PN_SSL_MODE_SERVER); TEST_CHECK(t, 0 == SET_CREDENTIALS(sd, "tserver")); pn_listener_t *l = test_listen(server, ""); /* Basic SSL connection */ pn_proactor_connect2(client->proactor, NULL, NULL, listener_info(l).connect); /* Open ok at both ends */ TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps)); TEST_COND_EMPTY(t, last_condition); TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps)); TEST_COND_EMPTY(t, last_condition); TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED); TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED); /* Verify peer with good hostname */ TEST_INT_EQUAL(t, 0, pn_ssl_domain_set_trusted_ca_db(cd, CERTIFICATE("tserver"))); TEST_INT_EQUAL(t, 0, pn_ssl_domain_set_peer_authentication(cd, PN_SSL_VERIFY_PEER_NAME, NULL)); pn_connection_t *c = pn_connection(); pn_connection_set_hostname(c, "test_server"); pn_proactor_connect2(client->proactor, c, NULL, listener_info(l).connect); TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps)); TEST_COND_EMPTY(t, last_condition); TEST_ETYPE_EQUAL(t, PN_CONNECTION_REMOTE_OPEN, TEST_PROACTORS_RUN(tps)); TEST_COND_EMPTY(t, last_condition); TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED); TEST_PROACTORS_RUN_UNTIL(tps, PN_TRANSPORT_CLOSED); /* Verify peer with bad hostname */ c = pn_connection(); pn_connection_set_hostname(c, "wrongname"); pn_proactor_connect2(client->proactor, c, NULL, listener_info(l).connect); TEST_ETYPE_EQUAL(t, PN_TRANSPORT_CLOSED, TEST_PROACTORS_RUN(tps)); TEST_COND_NAME(t, "amqp:connection:framing-error", last_condition); TEST_COND_DESC(t, "SSL", last_condition); TEST_PROACTORS_DRAIN(tps); pn_ssl_domain_free(cd); pn_ssl_domain_free(sd); TEST_PROACTORS_DESTROY(tps); }
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity, bool is_listener) { qd_error_clear(); bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK(); bool verifyHostName = qd_entity_opt_bool(entity, "verifyHostName", true); CHECK(); bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK(); bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK(); memset(config, 0, sizeof(*config)); config->log_message = qd_entity_opt_string(entity, "logMessage", 0); CHECK(); config->log_bits = populate_log_message(config); config->port = qd_entity_get_string(entity, "port"); CHECK(); config->name = qd_entity_opt_string(entity, "name", 0); CHECK(); config->role = qd_entity_get_string(entity, "role"); CHECK(); config->inter_router_cost = qd_entity_opt_long(entity, "cost", 1); CHECK(); config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK(); config->http = qd_entity_opt_bool(entity, "http", false); CHECK(); config->http_root = qd_entity_opt_string(entity, "httpRoot", false); CHECK(); config->http = config->http || config->http_root; /* httpRoot implies http */ config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK(); config->max_sessions = qd_entity_get_long(entity, "maxSessions"); CHECK(); uint64_t ssn_frames = qd_entity_opt_long(entity, "maxSessionFrames", 0); CHECK(); config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK(); if (is_listener) { config->initial_handshake_timeout_seconds = qd_entity_get_long(entity, "initialHandshakeTimeoutSeconds"); CHECK(); } config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK(); config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK(); config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK(); config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK(); config->sasl_plugin = qd_entity_opt_string(entity, "saslPlugin", 0); CHECK(); config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK(); config->multi_tenant = qd_entity_opt_bool(entity, "multiTenant", false); CHECK(); set_config_host(config, entity); // // Handle the defaults for various settings // if (config->link_capacity == 0) config->link_capacity = 250; if (config->max_sessions == 0 || config->max_sessions > 32768) // Proton disallows > 32768 config->max_sessions = 32768; if (config->max_frame_size < QD_AMQP_MIN_MAX_FRAME_SIZE) // Silently promote the minimum max-frame-size // Proton will do this but the number is needed for the // incoming capacity calculation. config->max_frame_size = QD_AMQP_MIN_MAX_FRAME_SIZE; // // Given session frame count and max frame size compute session incoming_capacity // if (ssn_frames == 0) config->incoming_capacity = (sizeof(size_t) < 8) ? 0x7FFFFFFFLL : 0x7FFFFFFFLL * config->max_frame_size; else { uint64_t mfs = (uint64_t) config->max_frame_size; uint64_t trial_ic = ssn_frames * mfs; uint64_t limit = (sizeof(size_t) < 8) ? (1ll << 31) - 1 : 0; if (limit == 0 || trial_ic < limit) { // Silently promote incoming capacity of zero to one config->incoming_capacity = (trial_ic < QD_AMQP_MIN_MAX_FRAME_SIZE ? QD_AMQP_MIN_MAX_FRAME_SIZE : trial_ic); } else { config->incoming_capacity = limit; uint64_t computed_ssn_frames = limit / mfs; qd_log(qd->connection_manager->log_source, QD_LOG_WARNING, "Server configuation for I/O adapter entity name:'%s', host:'%s', port:'%s', " "requested maxSessionFrames truncated from %"PRId64" to %"PRId64, config->name, config->host, config->port, ssn_frames, computed_ssn_frames); } } // // For now we are hardwiring this attribute to true. If there's an outcry from the // user community, we can revisit this later. // config->allowInsecureAuthentication = true; config->verify_host_name = verifyHostName; char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0); load_strip_annotations(config, stripAnnotations); free(stripAnnotations); stripAnnotations = 0; CHECK(); config->requireAuthentication = authenticatePeer; config->requireEncryption = requireEncryption || requireSsl; if (config->ssl_profile) { config->ssl_required = requireSsl; config->ssl_require_peer_authentication = config->sasl_mechanisms && strstr(config->sasl_mechanisms, "EXTERNAL") != 0; qd_config_ssl_profile_t *ssl_profile = qd_find_ssl_profile(qd->connection_manager, config->ssl_profile); if (ssl_profile) { config->ssl_certificate_file = SSTRDUP(ssl_profile->ssl_certificate_file); config->ssl_private_key_file = SSTRDUP(ssl_profile->ssl_private_key_file); config->ciphers = SSTRDUP(ssl_profile->ciphers); config->ssl_password = SSTRDUP(ssl_profile->ssl_password); config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db); config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates); config->ssl_uid_format = SSTRDUP(ssl_profile->ssl_uid_format); config->ssl_display_name_file = SSTRDUP(ssl_profile->ssl_display_name_file); } } if (config->sasl_plugin) { qd_config_sasl_plugin_t *sasl_plugin = qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin); if (sasl_plugin) { config->auth_service = SSTRDUP(sasl_plugin->auth_service); config->sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname); qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->auth_service, config->sasl_plugin); if (sasl_plugin->auth_ssl_profile) { qd_config_ssl_profile_t *auth_ssl_profile = qd_find_ssl_profile(qd->connection_manager, sasl_plugin->auth_ssl_profile); config->auth_ssl_conf = pn_ssl_domain(PN_SSL_MODE_CLIENT); if (auth_ssl_profile->ssl_certificate_file) { if (pn_ssl_domain_set_credentials(config->auth_ssl_conf, auth_ssl_profile->ssl_certificate_file, auth_ssl_profile->ssl_private_key_file, auth_ssl_profile->ssl_password)) { qd_error(QD_ERROR_RUNTIME, "Cannot set SSL credentials for authentication service"); CHECK(); } } if (auth_ssl_profile->ssl_trusted_certificate_db) { if (pn_ssl_domain_set_trusted_ca_db(config->auth_ssl_conf, auth_ssl_profile->ssl_trusted_certificate_db)) { qd_error(QD_ERROR_RUNTIME, "Cannot set trusted SSL certificate db for authentication service" ); CHECK(); } else { if (pn_ssl_domain_set_peer_authentication(config->auth_ssl_conf, PN_SSL_VERIFY_PEER, auth_ssl_profile->ssl_trusted_certificate_db)) { qd_error(QD_ERROR_RUNTIME, "Cannot set SSL peer verification for authentication service"); CHECK(); } } } if (auth_ssl_profile->ciphers) { if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ciphers)) { return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate"); } } } } else { qd_error(QD_ERROR_RUNTIME, "Cannot find sasl plugin %s", config->sasl_plugin); CHECK(); } } return QD_ERROR_NONE; error: qd_server_config_free(config); return qd_error_code(); }