Support TLS hostname verification with HostnameVerifier

This is a solution for Java 6. For Java 7 and more, setting the server
validation algorithm on the SSLParameters is more appropriate.

This commit tries to make the activation of hostname verification as
simpler as possible for the developer. The client detects it's running
on Java 6 and sets up the hostname verifier from the Commons
HttpClient project (it's still possible to provide a customer
HostnameVerifier). The client uses the SSLParameters solution if
possible.

References #394

Author: acogoluegnes

pom.xml

@@ -58,11 +58,13 @@
     <metrics.version>3.2.6</metrics.version>
     <micrometer.version>1.0.2</micrometer.version>
     <jackson.version>2.9.6</jackson.version>
+    <httpclient.version>4.5.6</httpclient.version>
     <logback.version>1.2.3</logback.version>
     <commons-cli.version>1.1</commons-cli.version>
     <junit.version>4.12</junit.version>
     <awaitility.version>3.1.0</awaitility.version>
     <mockito.version>2.16.0</mockito.version>
+    <bouncycastle.version>1.60</bouncycastle.version>
 
     <maven.javadoc.plugin.version>3.0.0</maven.javadoc.plugin.version>
     <maven.release.plugin.version>2.5.3</maven.release.plugin.version>
@@ -647,6 +649,12 @@
       <version>${jackson.version}</version>
       <optional>true</optional>
     </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>${httpclient.version}</version>
+      <optional>true</optional>
+    </dependency>
     <dependency>
       <groupId>commons-cli</groupId>
       <artifactId>commons-cli</artifactId>
@@ -683,6 +691,12 @@
       <version>1.3</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk15on</artifactId>
+      <version>${bouncycastle.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

src/main/java/com/rabbitmq/client/ConnectionContext.java

@@ -0,0 +1,74 @@
+// Copyright (c) 2018 Pivotal Software, Inc.  All rights reserved.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 1.1 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2.  For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// info@rabbitmq.com.
+
+package com.rabbitmq.client;
+
+import javax.net.ssl.SSLSession;
+import java.net.Socket;
+
+/**
+ * The context of the freshly open TCP connection.
+ *
+ * @see ConnectionPostProcessor
+ * @since 4.8.0
+ */
+public class ConnectionContext {
+
+    private final Socket socket;
+    private final Address address;
+    private final boolean ssl;
+    private final SSLSession sslSession;
+
+    public ConnectionContext(Socket socket, Address address, boolean ssl, SSLSession sslSession) {
+        this.socket = socket;
+        this.address = address;
+        this.ssl = ssl;
+        this.sslSession = sslSession;
+    }
+
+    /**
+     * The network socket. Can be an {@link javax.net.ssl.SSLSocket}.
+     *
+     * @return
+     */
+    public Socket getSocket() {
+        return socket;
+    }
+
+    /**
+     * The address (hostname and port) used for connecting.
+     *
+     * @return
+     */
+    public Address getAddress() {
+        return address;
+    }
+
+    /**
+     * Whether this is a SSL/TLS connection.
+     * @return
+     */
+    public boolean isSsl() {
+        return ssl;
+    }
+
+    /**
+     * The {@link SSLSession} for a TLS connection, <code>null</code> otherwise.
+     * @return
+     */
+    public SSLSession getSslSession() {
+        return sslSession;
+    }
+}

src/main/java/com/rabbitmq/client/ConnectionFactory.java

@@ -29,8 +29,10 @@
 import com.rabbitmq.client.impl.recovery.AutorecoveringConnection;
 import com.rabbitmq.client.impl.recovery.RetryHandler;
 import com.rabbitmq.client.impl.recovery.TopologyRecoveryFilter;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
 
 import javax.net.SocketFactory;
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
@@ -188,6 +190,19 @@ public class ConnectionFactory implements Cloneable {
      */
     private RetryHandler topologyRecoveryRetryHandler;
 
+    /**
+     * Hook to post-process the freshly open TCP connection.
+     *
+     * @since 4.8.0
+     */
+    private ConnectionPostProcessor connectionPostProcessor = new ConnectionPostProcessor() {
+
+        @Override
+        public void postProcess(ConnectionContext context) {
+
+        }
+    };
+
     /** @return the default host to use for connections */
     public String getHost() {
         return host;
@@ -679,12 +694,19 @@ public void useSslProtocol(String protocol)
      * Pass in the TLS protocol version to use, e.g. "TLSv1.2" or "TLSv1.1", and
      * a desired {@link TrustManager}.
      *
+     * Note <strong>you must explicitly enable hostname verification</strong> with the
+     * {@link ConnectionFactory#enableHostnameVerification()} or the
+     * {@link ConnectionFactory#enableHostnameVerification(HostnameVerifier)}
+     * method.
+     *
      *
      * The produced {@link SSLContext} instance will be shared with all
      * the connections created by this connection factory.
      * @param protocol the TLS protocol to use.
      * @param trustManager the {@link TrustManager} implementation to use.
      * @see #useSslProtocol(SSLContext)
+     * @see #enableHostnameVerification()
+     * @see #enableHostnameVerification(HostnameVerifier)
      */
     public void useSslProtocol(String protocol, TrustManager trustManager)
         throws NoSuchAlgorithmException, KeyManagementException
@@ -699,9 +721,16 @@ public void useSslProtocol(String protocol, TrustManager trustManager)
      * for setting up the context with a {@link TrustManager} with suitable security guarantees,
      * e.g. peer verification.
      *
+     * Note <strong>you must explicitly enable hostname verification</strong> with the
+     * {@link ConnectionFactory#enableHostnameVerification()} or the
+     * {@link ConnectionFactory#enableHostnameVerification(HostnameVerifier)}
+     * method.
+     *
      * The {@link SSLContext} instance will be shared with all
      * the connections created by this connection factory.
      * @param context An initialized SSLContext
+     * @see #enableHostnameVerification()
+     * @see #enableHostnameVerification(HostnameVerifier)
      */
     public void useSslProtocol(SSLContext context) {
         setSocketFactory(context.getSocketFactory());
@@ -716,6 +745,15 @@ public void useSslProtocol(SSLContext context) {
      * <p>
      * This can be called typically after setting the {@link SSLContext}
      * with one of the <code>useSslProtocol</code> methods.
+     * <p>
+     * If <strong>using Java 7 or more</strong>, the hostname verification will be
+     * performed by Java, as part of the TLS handshake.
+     * <p>
+     * If <strong>using Java 6</strong>, the hostname verification will be handled after
+     * the TLS handshake, using the {@link HostnameVerifier} from the
+     * Commons HttpClient project. This requires to add Commons HttpClient
+     * and its dependencies to the classpath. To use a custom {@link HostnameVerifier},
+     * use {@link ConnectionFactory#enableHostnameVerification(HostnameVerifier)}.
      *
      * @see NioParams#enableHostnameVerification()
      * @see NioParams#setSslEngineConfigurator(SslEngineConfigurator)
@@ -725,10 +763,43 @@ public void useSslProtocol(SSLContext context) {
      * @see ConnectionFactory#useSslProtocol(SSLContext)
      * @see ConnectionFactory#useSslProtocol()
      * @see ConnectionFactory#useSslProtocol(String, TrustManager)
+     * @see ConnectionFactory#enableHostnameVerification(HostnameVerifier)
+     * @since 4.8.0
      */
     public void enableHostnameVerification() {
-        enableHostnameVerificationForNio();
-        enableHostnameVerificationForBlockingIo();
+        if (isJava6()) {
+            enableHostnameVerification(new DefaultHostnameVerifier());
+        } else {
+            enableHostnameVerificationForNio();
+            enableHostnameVerificationForBlockingIo();
+        }
+    }
+
+    /**
+     * Enable TLS hostname verification performed by the passed-in {@link HostnameVerifier}.
+     * <p>
+     * Using an {@link HostnameVerifier} is relevant only for Java 6, for Java 7 or more,
+     * calling ConnectionFactory{@link #enableHostnameVerification()} is enough.
+     *
+     * @param hostnameVerifier
+     * @since 4.8.0
+     * @see ConnectionFactory#enableHostnameVerification()
+     */
+    public void enableHostnameVerification(HostnameVerifier hostnameVerifier) {
+        if (this.connectionPostProcessor == null) {
+            this.connectionPostProcessor = ConnectionPostProcessors.builder()
+                .enableHostnameVerification(hostnameVerifier)
+                .build();
+        } else {
+            this.connectionPostProcessor = ConnectionPostProcessors.builder()
+                .add(this.connectionPostProcessor)
+                .enableHostnameVerification(hostnameVerifier)
+                .build();
+        }
+    }
+
+    protected boolean isJava6() {
+        return System.getProperty("java.specification.version").startsWith("1.6");
     }
 
     protected void enableHostnameVerificationForNio() {
@@ -835,11 +906,11 @@ protected synchronized FrameHandlerFactory createFrameHandlerFactory() throws IO
                 if(this.nioParams.getNioExecutor() == null && this.nioParams.getThreadFactory() == null) {
                     this.nioParams.setThreadFactory(getThreadFactory());
                 }
-                this.frameHandlerFactory = new SocketChannelFrameHandlerFactory(connectionTimeout, nioParams, isSSL(), sslContext);
+                this.frameHandlerFactory = new SocketChannelFrameHandlerFactory(connectionTimeout, nioParams, isSSL(), sslContext, connectionPostProcessor);
             }
             return this.frameHandlerFactory;
         } else {
-            return new SocketFrameHandlerFactory(connectionTimeout, factory, socketConf, isSSL(), this.shutdownExecutor);
+            return new SocketFrameHandlerFactory(connectionTimeout, factory, socketConf, isSSL(), this.shutdownExecutor, connectionPostProcessor);
         }
 
     }
@@ -1483,4 +1554,15 @@ public void setTopologyRecoveryFilter(TopologyRecoveryFilter topologyRecoveryFil
     public void setTopologyRecoveryRetryHandler(RetryHandler topologyRecoveryRetryHandler) {
         this.topologyRecoveryRetryHandler = topologyRecoveryRetryHandler;
     }
+
+    /**
+     * Hook to post-process the freshly open TCP connection.
+     *
+     * @param connectionPostProcessor
+     * @see #enableHostnameVerification()
+     * @see #enableHostnameVerification(HostnameVerifier)
+     */
+    public void setConnectionPostProcessor(ConnectionPostProcessor connectionPostProcessor) {
+        this.connectionPostProcessor = connectionPostProcessor;
+    }
 }

src/main/java/com/rabbitmq/client/ConnectionPostProcessor.java

@@ -0,0 +1,36 @@
+// Copyright (c) 2018 Pivotal Software, Inc.  All rights reserved.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 1.1 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2.  For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// info@rabbitmq.com.
+
+package com.rabbitmq.client;
+
+import java.io.IOException;
+
+/**
+ * Hook to add processing on the open TCP connection.
+ * <p>
+ * Used e.g. to add hostname verification on TLS connection.
+ *
+ * @since 4.8.0
+ */
+public interface ConnectionPostProcessor {
+
+    /**
+     * Post-process the open TCP connection.
+     *
+     * @param context some TCP connection context (e.g. socket)
+     * @throws IOException
+     */
+    void postProcess(ConnectionContext context) throws IOException;
+}