diff --git a/src/main/asciidoc/dataobjects.adoc b/src/main/asciidoc/dataobjects.adoc index c7f78632553..dc5f5327dfd 100644 --- a/src/main/asciidoc/dataobjects.adoc +++ b/src/main/asciidoc/dataobjects.adoc @@ -935,6 +935,11 @@ Add an enabled cipher suite +++ Add an enabled SSL/TLS protocols +++ +|[[hostnameVerificationAlgorithm]]`hostnameVerificationAlgorithm`|`String`| ++++ +Set the hostname verification algorithm interval + To disable hostname verification, set hostnameVerificationAlgorithm to an empty String ++++ |[[idleTimeout]]`idleTimeout`|`Number (int)`| +++ Set the idle timeout, in seconds. zero means don't timeout. @@ -1020,10 +1025,6 @@ Set the ALPN usage. +++ Set whether Netty pooled buffers are enabled +++ -|[[verifyHost]]`verifyHost`|`Boolean`| -+++ -Set whether hostname verification is enabled -+++ |=== [[NetServerOptions]] diff --git a/src/main/asciidoc/java/net.adoc b/src/main/asciidoc/java/net.adoc index 3daba931937..3c9333acd3c 100644 --- a/src/main/asciidoc/java/net.adoc +++ b/src/main/asciidoc/java/net.adoc @@ -192,7 +192,7 @@ See the chapter on <> for more information. === Upgrading connections to SSL/TLS -A non SSL/TLS connection can be upgraded to SSL/TLS using `link:../../apidocs/io/vertx/core/net/NetSocket.html#upgradeToSsl-java.lang.String-int-io.vertx.core.Handler-[upgradeToSsl]`. +A non SSL/TLS connection can be upgraded to SSL/TLS using `link:../../apidocs/io/vertx/core/net/NetSocket.html#upgradeToSsl-io.vertx.core.Handler-[upgradeToSsl]`. The server or client must be configured for SSL/TLS for this to work correctly. Please see the <> for more information. @@ -570,13 +570,15 @@ NetClient client = vertx.createNetClient(options); If `link:../../apidocs/io/vertx/core/net/ClientOptionsBase.html#setTrustAll-boolean-[trustAll]` is not set then a client trust store must be configured and should contain the certificates of the servers that the client trusts. -To enable host verification, simply set verifyHost to true on your client: +By default, host verification is disabled on the client. +To enable host verification, set the algorithm to use on your client (only HTTPS and LDAPS is currently supported): + [source,java] ---- NetClientOptions options = new NetClientOptions(). setSsl(true). - setVerifyHost(true); + setHostnameVerificationAlgorithm("HTTPS"); NetClient client = vertx.createNetClient(options); ---- diff --git a/src/main/generated/io/vertx/core/net/NetClientOptionsConverter.java b/src/main/generated/io/vertx/core/net/NetClientOptionsConverter.java index 2b53a2a747c..88edd770044 100644 --- a/src/main/generated/io/vertx/core/net/NetClientOptionsConverter.java +++ b/src/main/generated/io/vertx/core/net/NetClientOptionsConverter.java @@ -27,20 +27,22 @@ public class NetClientOptionsConverter { public static void fromJson(JsonObject json, NetClientOptions obj) { + if (json.getValue("hostnameVerificationAlgorithm") instanceof String) { + obj.setHostnameVerificationAlgorithm((String)json.getValue("hostnameVerificationAlgorithm")); + } if (json.getValue("reconnectAttempts") instanceof Number) { obj.setReconnectAttempts(((Number)json.getValue("reconnectAttempts")).intValue()); } if (json.getValue("reconnectInterval") instanceof Number) { obj.setReconnectInterval(((Number)json.getValue("reconnectInterval")).longValue()); } - if (json.getValue("verifyHost") instanceof Boolean) { - obj.setVerifyHost((Boolean)json.getValue("verifyHost")); - } } public static void toJson(NetClientOptions obj, JsonObject json) { + if (obj.getHostnameVerificationAlgorithm() != null) { + json.put("hostnameVerificationAlgorithm", obj.getHostnameVerificationAlgorithm()); + } json.put("reconnectAttempts", obj.getReconnectAttempts()); json.put("reconnectInterval", obj.getReconnectInterval()); - json.put("verifyHost", obj.isVerifyHost()); } } \ No newline at end of file diff --git a/src/main/java/examples/NetExamples.java b/src/main/java/examples/NetExamples.java index 24d6d63b53e..7cf651122d4 100644 --- a/src/main/java/examples/NetExamples.java +++ b/src/main/java/examples/NetExamples.java @@ -505,7 +505,7 @@ public void example45(Vertx vertx, JksOptions keyStoreOptions) { public void example46(Vertx vertx, JksOptions keyStoreOptions) { NetClientOptions options = new NetClientOptions(). setSsl(true). - setVerifyHost(true); + setHostnameVerificationAlgorithm("HTTPS"); NetClient client = vertx.createNetClient(options); } } diff --git a/src/main/java/io/vertx/core/http/impl/VertxHttp2NetSocket.java b/src/main/java/io/vertx/core/http/impl/VertxHttp2NetSocket.java index 3c992c48a0c..c9a2749564f 100644 --- a/src/main/java/io/vertx/core/http/impl/VertxHttp2NetSocket.java +++ b/src/main/java/io/vertx/core/http/impl/VertxHttp2NetSocket.java @@ -269,7 +269,7 @@ public NetSocket closeHandler(@Nullable Handler handler) { } @Override - public NetSocket upgradeToSsl(String host, int port, Handler handler) { + public NetSocket upgradeToSsl(Handler handler) { throw new UnsupportedOperationException("Cannot upgrade HTTP/2 stream to SSL"); } diff --git a/src/main/java/io/vertx/core/net/NetClientOptions.java b/src/main/java/io/vertx/core/net/NetClientOptions.java index 6ccee8e455e..115c74d82a7 100644 --- a/src/main/java/io/vertx/core/net/NetClientOptions.java +++ b/src/main/java/io/vertx/core/net/NetClientOptions.java @@ -18,8 +18,11 @@ import io.vertx.codegen.annotations.DataObject; import io.vertx.core.buffer.Buffer; +import io.vertx.core.cli.Option; import io.vertx.core.json.JsonObject; +import java.util.Optional; + /** * Options for configuring a {@link io.vertx.core.net.NetClient}. * @@ -39,14 +42,14 @@ public class NetClientOptions extends ClientOptionsBase { public static final long DEFAULT_RECONNECT_INTERVAL = 1000; /** - * Default value of whether hostname verification (for SSL/TLS) is enabled = true + * Default value to determine hostname verification algorithm hostname verification (for SSL/TLS) = "" */ - public static final boolean DEFAULT_VERIFY_HOST = true; + public static final String DEFAULT_HOSTNAME_VERIFICATION_ALGORITHM = ""; private int reconnectAttempts; private long reconnectInterval; - private boolean verifyHost = true; + private String hostnameVerificationAlgorithm; /** @@ -66,7 +69,7 @@ public NetClientOptions(NetClientOptions other) { super(other); this.reconnectAttempts = other.getReconnectAttempts(); this.reconnectInterval = other.getReconnectInterval(); - this.verifyHost = other.isVerifyHost(); + this.hostnameVerificationAlgorithm = other.getHostnameVerificationAlgorithm(); } /** @@ -83,7 +86,7 @@ public NetClientOptions(JsonObject json) { private void init() { this.reconnectAttempts = DEFAULT_RECONNECT_ATTEMPTS; this.reconnectInterval = DEFAULT_RECONNECT_INTERVAL; - this.verifyHost = DEFAULT_VERIFY_HOST; + this.hostnameVerificationAlgorithm = DEFAULT_HOSTNAME_VERIFICATION_ALGORITHM; } @Override @@ -248,32 +251,32 @@ public NetClientOptions setReconnectInterval(long interval) { } /** - * @return the value of reconnect interval + * @return the value of the hostname verification algorithm */ - public long getReconnectInterval() { - return reconnectInterval; + + public String getHostnameVerificationAlgorithm() { + return hostnameVerificationAlgorithm; } - /** - * Is hostname verification (for SSL/TLS) enabled? - * - * @return true if enabled - */ - public boolean isVerifyHost() { - return verifyHost; - } + /** + * Set the hostname verification algorithm interval + * To disable hostname verification, set hostnameVerificationAlgorithm to an empty String + * + * @param hostnameVerificationAlgorithm should be HTTPS, LDAPS or an empty String + * @return a reference to this, so the API can be used fluently + */ - /** - * Set whether hostname verification is enabled - * - * @param verifyHost true if enabled - * @return a reference to this, so the API can be used fluently - */ - public NetClientOptions setVerifyHost(boolean verifyHost) { - this.verifyHost = verifyHost; - return this; - } + public NetClientOptions setHostnameVerificationAlgorithm(String hostnameVerificationAlgorithm) { + this.hostnameVerificationAlgorithm = hostnameVerificationAlgorithm; + return this; + } + /** + * @return the value of reconnect interval + */ + public long getReconnectInterval() { + return reconnectInterval; + } @Override public boolean equals(Object o) { @@ -285,7 +288,7 @@ public boolean equals(Object o) { if (reconnectAttempts != that.reconnectAttempts) return false; if (reconnectInterval != that.reconnectInterval) return false; - if (verifyHost != that.verifyHost) return false; + if (hostnameVerificationAlgorithm != that.hostnameVerificationAlgorithm) return false; return true; } @@ -295,7 +298,8 @@ public int hashCode() { int result = super.hashCode(); result = 31 * result + reconnectAttempts; result = 31 * result + (int) (reconnectInterval ^ (reconnectInterval >>> 32)); - result = 31 * result + (verifyHost ? 1 : 0); + result = 31 * result + hostnameVerificationAlgorithm.hashCode(); return result; } + } diff --git a/src/main/java/io/vertx/core/net/NetSocket.java b/src/main/java/io/vertx/core/net/NetSocket.java index 73a04e66fb4..039f152425e 100644 --- a/src/main/java/io/vertx/core/net/NetSocket.java +++ b/src/main/java/io/vertx/core/net/NetSocket.java @@ -217,7 +217,7 @@ default NetSocket sendFile(String filename, long offset, Handler handler); + NetSocket upgradeToSsl(Handler handler); /** * @return true if this {@link io.vertx.core.net.NetSocket} is encrypted via SSL/TLS. diff --git a/src/main/java/io/vertx/core/net/impl/NetSocketImpl.java b/src/main/java/io/vertx/core/net/impl/NetSocketImpl.java index a006d69460d..f57ee211ff7 100644 --- a/src/main/java/io/vertx/core/net/impl/NetSocketImpl.java +++ b/src/main/java/io/vertx/core/net/impl/NetSocketImpl.java @@ -245,10 +245,11 @@ public synchronized void close() { } @Override - public synchronized NetSocket upgradeToSsl(String host, int port, final Handler handler) { + public synchronized NetSocket upgradeToSsl(final Handler handler) { SslHandler sslHandler = channel.pipeline().get(SslHandler.class); if (sslHandler == null) { - sslHandler = helper.createSslHandler(vertx, host, port); + + sslHandler = helper.createSslHandler(vertx, this.remoteAddress().host(), this.remoteAddress().port()); channel.pipeline().addFirst("ssl", sslHandler); } sslHandler.handshakeFuture().addListener(future -> context.executeFromIO(() -> { diff --git a/src/main/java/io/vertx/core/net/impl/SSLHelper.java b/src/main/java/io/vertx/core/net/impl/SSLHelper.java index ef24746d836..3815d8487bb 100644 --- a/src/main/java/io/vertx/core/net/impl/SSLHelper.java +++ b/src/main/java/io/vertx/core/net/impl/SSLHelper.java @@ -50,15 +50,7 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; -import java.util.EnumMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; +import java.util.*; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -114,6 +106,8 @@ public class SSLHelper { private List applicationProtocols; private Set enabledProtocols; + private String endpointIdentificationAlgorithm = ""; + private SslContext sslContext; public SSLHelper(HttpClientOptions options, KeyStoreHelper keyStoreHelper, KeyStoreHelper trustStoreHelper) { @@ -124,11 +118,13 @@ public SSLHelper(HttpClientOptions options, KeyStoreHelper keyStoreHelper, KeySt this.crlPaths = new ArrayList<>(options.getCrlPaths()); this.crlValues = new ArrayList<>(options.getCrlValues()); this.enabledCipherSuites = options.getEnabledCipherSuites(); - this.verifyHost = options.isVerifyHost(); this.sslEngine = options.getSslEngine(); this.client = true; this.useAlpn = options.isUseAlpn(); this.enabledProtocols = options.getEnabledSecureTransportProtocols(); + if (options.isVerifyHost()) { + this.endpointIdentificationAlgorithm = "HTTPS"; + } } public SSLHelper(HttpServerOptions options, KeyStoreHelper keyStoreHelper, KeyStoreHelper trustStoreHelper) { @@ -153,11 +149,11 @@ public SSLHelper(NetClientOptions options, KeyStoreHelper keyStoreHelper, KeySto this.crlPaths = new ArrayList<>(options.getCrlPaths()); this.crlValues = new ArrayList<>(options.getCrlValues()); this.enabledCipherSuites = options.getEnabledCipherSuites(); - this.verifyHost = options.isVerifyHost(); this.sslEngine = options.getSslEngine(); this.client = true; this.useAlpn = false; this.enabledProtocols = options.getEnabledSecureTransportProtocols(); + this.endpointIdentificationAlgorithm = options.getHostnameVerificationAlgorithm(); } public SSLHelper(NetServerOptions options, KeyStoreHelper keyStoreHelper, KeyStoreHelper trustStoreHelper) { @@ -411,9 +407,9 @@ private SslHandler createHandler(SSLEngine engine, boolean client) { break; } } - } else if (verifyHost) { + } else if (!endpointIdentificationAlgorithm.isEmpty()) { SSLParameters sslParameters = engine.getSSLParameters(); - sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); + sslParameters.setEndpointIdentificationAlgorithm(endpointIdentificationAlgorithm); engine.setSSLParameters(sslParameters); } return new SslHandler(engine); diff --git a/src/main/java/io/vertx/core/net/package-info.java b/src/main/java/io/vertx/core/net/package-info.java index 48abf0feb03..ff49b9a50ec 100644 --- a/src/main/java/io/vertx/core/net/package-info.java +++ b/src/main/java/io/vertx/core/net/package-info.java @@ -175,7 +175,7 @@ * * === Upgrading connections to SSL/TLS * - * A non SSL/TLS connection can be upgraded to SSL/TLS using {@link io.vertx.core.net.NetSocket#upgradeToSsl(java.lang.String, int, io.vertx.core.Handler)}. + * A non SSL/TLS connection can be upgraded to SSL/TLS using {@link io.vertx.core.net.NetSocket#upgradeToSsl(io.vertx.core.Handler)}. * * The server or client must be configured for SSL/TLS for this to work correctly. Please see the <> * for more information. @@ -434,7 +434,9 @@ * If {@link io.vertx.core.net.ClientOptionsBase#setTrustAll trustAll} is not set then a client trust store must be * configured and should contain the certificates of the servers that the client trusts. * - * To enable host verification, simply set verifyHost to true on your client: + * By default, host verification is disabled on the client. + * To enable host verification, set the algorithm to use on your client (only HTTPS and LDAPS is currently supported): + * * * [source,$lang] * ---- diff --git a/src/test/java/io/vertx/test/core/NetTest.java b/src/test/java/io/vertx/test/core/NetTest.java index c1476ddb0af..849c0fb170c 100644 --- a/src/test/java/io/vertx/test/core/NetTest.java +++ b/src/test/java/io/vertx/test/core/NetTest.java @@ -156,9 +156,10 @@ public void testClientOptions() { assertEquals(options, options.setTrustAll(true)); assertTrue(options.isTrustAll()); - assertTrue(options.isVerifyHost()); - assertEquals(options, options.setVerifyHost(false)); - assertFalse(options.isVerifyHost()); + String randomAlphaString = TestUtils.randomAlphaString(10); + assertTrue(options.getHostnameVerificationAlgorithm().isEmpty()); + assertEquals(options, options.setHostnameVerificationAlgorithm(randomAlphaString)); + assertEquals(randomAlphaString, options.getHostnameVerificationAlgorithm()); assertEquals(0, options.getReconnectAttempts()); assertIllegalArgumentException(() -> options.setReconnectAttempts(-2)); @@ -307,7 +308,7 @@ public void testCopyClientOptions() { boolean usePooledBuffers = rand.nextBoolean(); int idleTimeout = TestUtils.randomPositiveInt(); boolean ssl = rand.nextBoolean(); - boolean verifyHost = rand.nextBoolean(); + String hostnameVerificationAlgorithm = TestUtils.randomAlphaString(10); JksOptions keyStoreOptions = new JksOptions(); String ksPassword = TestUtils.randomAlphaString(100); keyStoreOptions.setPassword(ksPassword); @@ -344,7 +345,7 @@ public void testCopyClientOptions() { options.setReconnectInterval(reconnectInterval); options.setUseAlpn(useAlpn); options.setSslEngine(sslEngine); - options.setVerifyHost(verifyHost); + options.setHostnameVerificationAlgorithm(hostnameVerificationAlgorithm); NetClientOptions copy = new NetClientOptions(options); assertEquals(sendBufferSize, copy.getSendBufferSize()); assertEquals(receiverBufferSize, copy.getReceiveBufferSize()); @@ -372,7 +373,7 @@ public void testCopyClientOptions() { assertEquals(reconnectInterval, copy.getReconnectInterval()); assertEquals(useAlpn, copy.isUseAlpn()); assertEquals(sslEngine, copy.getSslEngine()); - assertEquals(verifyHost, copy.isVerifyHost()); + assertEquals(hostnameVerificationAlgorithm, copy.getHostnameVerificationAlgorithm()); } @Test @@ -392,7 +393,7 @@ public void testDefaultClientOptionsJson() { assertEquals(def.isSsl(), json.isSsl()); assertEquals(def.isUseAlpn(), json.isUseAlpn()); assertEquals(def.getSslEngine(), json.getSslEngine()); - assertEquals(def.isVerifyHost(), json.isVerifyHost()); + assertEquals(def.getHostnameVerificationAlgorithm(), json.getHostnameVerificationAlgorithm()); } @Test @@ -425,7 +426,7 @@ public void testClientOptionsJson() { int reconnectAttempts = TestUtils.randomPositiveInt(); long reconnectInterval = TestUtils.randomPositiveInt(); boolean useAlpn = TestUtils.randomBoolean(); - boolean verifyHost = TestUtils.randomBoolean(); + String hostnameVerificationAlgorithm = TestUtils.randomAlphaString(10); SSLEngine sslEngine = TestUtils.randomBoolean() ? SSLEngine.JDK : SSLEngine.OPENSSL; JsonObject json = new JsonObject(); @@ -449,7 +450,7 @@ public void testClientOptionsJson() { .put("reconnectInterval", reconnectInterval) .put("useAlpn", useAlpn) .put("sslEngine", sslEngine.name()) - .put("verifyHost", verifyHost); + .put("hostnameVerificationAlgorithm", hostnameVerificationAlgorithm); NetClientOptions options = new NetClientOptions(json); assertEquals(sendBufferSize, options.getSendBufferSize()); @@ -478,7 +479,7 @@ public void testClientOptionsJson() { assertEquals(reconnectInterval, options.getReconnectInterval()); assertEquals(useAlpn, options.isUseAlpn()); assertEquals(sslEngine, options.getSslEngine()); - assertEquals(verifyHost, options.isVerifyHost()); + assertEquals(hostnameVerificationAlgorithm, options.getHostnameVerificationAlgorithm()); // Test other keystore/truststore types json.remove("keyStoreOptions"); @@ -1072,99 +1073,85 @@ public void testClientIdleTimeout() { @Test // StartTLS public void testStartTLSClientTrustAll() throws Exception { - testTLS(false, false, true, false, false, true, false, true, true); + testTLS(false, false, true, false, false, true, true, true); } @Test // Client trusts all server certs public void testTLSClientTrustAll() throws Exception { - testTLS(false, false, true, false, false, true, false, true, false); + testTLS(false, false, true, false, false, true, true, false); } @Test // Server specifies cert that the client trusts (not trust all) public void testTLSClientTrustServerCert() throws Exception { - testTLS(false, true, true, false, false, false, false, true, false); + testTLS(false, true, true, false, false, false, true, false); } @Test // Server specifies cert that the client doesn't trust public void testTLSClientUntrustedServer() throws Exception { - testTLS(false, false, true, false, false, false, false, false, false); + testTLS(false, false, true, false, false, false, false, false); } @Test //Client specifies cert even though it's not required public void testTLSClientCertNotRequired() throws Exception { - testTLS(true, true, true, true, false, false, false, true, false); + testTLS(true, true, true, true, false, false, true, false); } @Test //Client specifies cert and it's not required public void testTLSClientCertRequired() throws Exception { - testTLS(true, true, true, true, true, false, false, true, false); + testTLS(true, true, true, true, true, false, true, false); } @Test //Client doesn't specify cert but it's required public void testTLSClientCertRequiredNoClientCert() throws Exception { - testTLS(false, true, true, true, true, false, false, false, false); + testTLS(false, true, true, true, true, false, false, false); } @Test //Client specifies cert but it's not trusted public void testTLSClientCertClientNotTrusted() throws Exception { - testTLS(true, true, true, false, true, false, false, false, false); + testTLS(true, true, true, false, true, false, false, false); } @Test // Specify some cipher suites public void testTLSCipherSuites() throws Exception { - testTLS(false, false, true, false, false, true, false, true, false, ENABLED_CIPHER_SUITES); + testTLS(false, false, true, false, false, true, true, false, ENABLED_CIPHER_SUITES); } @Test // Specify some bogus protocol public void testInvalidTlsProtocolVersion() throws Exception { - testTLS(false, false, true, false, false, true, false, false, false, new String[0], + testTLS(false, false, true, false, false, true, false, false, new String[0], new String[]{"TLSv1.999"}); } @Test // Specify a valid protocol public void testSpecificTlsProtocolVersion() throws Exception { - testTLS(false, false, true, false, false, true, false, true, false, new String[0], + testTLS(false, false, true, false, false, true, true, false, new String[0], new String[]{"TLSv1.2"}); } - @Test - // Test host verification with a CN matching localhost - public void testVerifyMatchingHost() throws Exception { - testTLS(false, false, true, false, false, true, true, true, false, new String[0], - new String[]{"TLSv1.2"}); - } - - @Test - // Test host verification with a CN NOT matching localhost - public void testVerifyNonMatchingHost() throws Exception { - testTLS(false, false, true, false, false, true, true, false, false, new String[0], - new String[]{"TLSv1.2"}); - } - void testTLS(boolean clientCert, boolean clientTrust, boolean serverCert, boolean serverTrust, - boolean requireClientAuth, boolean clientTrustAll, boolean verifyHost, + boolean requireClientAuth, boolean clientTrustAll, boolean shouldPass, boolean startTLS) throws Exception { - testTLS(clientCert, clientTrust, serverCert, serverTrust, requireClientAuth, clientTrustAll, verifyHost, + testTLS(clientCert, clientTrust, serverCert, serverTrust, requireClientAuth, clientTrustAll, shouldPass, startTLS, new String[0], new String[0]); } void testTLS(boolean clientCert, boolean clientTrust, boolean serverCert, boolean serverTrust, - boolean requireClientAuth, boolean clientTrustAll, boolean verifyHost, + boolean requireClientAuth, boolean clientTrustAll, boolean shouldPass, boolean startTLS, String[] enabledCipherSuites) throws Exception { - testTLS(clientCert, clientTrust, serverCert, serverTrust, requireClientAuth, clientTrustAll, verifyHost, + testTLS(clientCert, clientTrust, serverCert, serverTrust, requireClientAuth, clientTrustAll, shouldPass, startTLS, enabledCipherSuites, new String[0]); } @@ -1172,7 +1159,6 @@ void testTLS(boolean clientCert, boolean clientTrust, void testTLS(boolean clientCert, boolean clientTrust, boolean serverCert, boolean serverTrust, boolean requireClientAuth, boolean clientTrustAll, - boolean verifyHost, boolean shouldPass, boolean startTLS, String[] enabledCipherSuites, String[] enabledSecureTransportProtocols) throws Exception { @@ -1185,12 +1171,7 @@ void testTLS(boolean clientCert, boolean clientTrust, options.setTrustStoreOptions(new JksOptions().setPath("tls/server-truststore.jks").setPassword("wibble")); } if (serverCert) { - if (verifyHost && !shouldPass) { - options.setKeyStoreOptions(new JksOptions().setPath("tls/fake-server-keystore.jks").setPassword("wibble")); - } else { - options.setKeyStoreOptions(new JksOptions().setPath("tls/server-keystore.jks").setPassword("wibble")); - } - + options.setKeyStoreOptions(new JksOptions().setPath("tls/server-keystore.jks").setPassword("wibble")); } if (requireClientAuth) { options.setClientAuth(ClientAuth.REQUIRED); @@ -1229,7 +1210,7 @@ void testTLS(boolean clientCert, boolean clientTrust, if (startTLS) { if (upgradedServer.compareAndSet(false, true)) { assertFalse(socket.isSsl()); - socket.upgradeToSsl("localhost", 4043 , v -> { + socket.upgradeToSsl(v -> { certificateChainChecker.accept(socket); upgradedServerCount.incrementAndGet(); assertTrue(socket.isSsl()); @@ -1258,9 +1239,6 @@ void testTLS(boolean clientCert, boolean clientTrust, if (clientCert) { clientOptions.setKeyStoreOptions(new JksOptions().setPath("tls/client-keystore.jks").setPassword("wibble")); } - if (verifyHost) { - clientOptions.setVerifyHost(true); - } for (String suite: enabledCipherSuites) { clientOptions.addEnabledCipherSuite(suite); } @@ -1296,7 +1274,7 @@ void testTLS(boolean clientCert, boolean clientTrust, if (startTLS && !upgradedClient.get()) { upgradedClient.set(true); assertFalse(socket.isSsl()); - socket.upgradeToSsl("localhost", 4043, v -> { + socket.upgradeToSsl(v -> { assertTrue(socket.isSsl()); // Now send the rest for (int i = 1; i < numChunks; i++) { @@ -2172,4 +2150,63 @@ public void testClientWorkerMissBufferWhenBufferArriveBeforeConnectCallback() th }); await(); } + + @Test + public void testHostVerificationHttpsNotMatching() { + server.close(); + NetServerOptions options = new NetServerOptions() + .setPort(1234) + .setHost("localhost") + .setSsl(true) + .setKeyStoreOptions(new JksOptions().setPath("tls/fake-server-keystore.jks").setPassword("wibble")); + NetServer server = vertx.createNetServer(options); + + NetClientOptions clientOptions = new NetClientOptions() + .setSsl(true) + .setTrustAll(true) + .setHostnameVerificationAlgorithm("HTTPS"); + NetClient client = vertx.createNetClient(clientOptions); + server.connectHandler(sock -> { + + }); + server.listen(ar -> { + assertTrue(ar.succeeded()); + client.connect(1234, "localhost", ar2 -> { + //Should not be able to connect + assertTrue(ar2.failed()); + testComplete(); + }); + }); + await(); + } + + @Test + public void testHostVerificationHttpsMatching() { + server.close(); + NetServerOptions options = new NetServerOptions() + .setPort(1234) + .setHost("localhost") + .setSsl(true) + .setKeyStoreOptions(new JksOptions().setPath("tls/server-keystore.jks").setPassword("wibble")); + NetServer server = vertx.createNetServer(options); + + NetClientOptions clientOptions = new NetClientOptions() + .setSsl(true) + .setTrustAll(true) + .setHostnameVerificationAlgorithm("HTTPS"); + NetClient client = vertx.createNetClient(clientOptions); + server.connectHandler(sock -> { + + }); + server.listen(ar -> { + assertTrue(ar.succeeded()); + client.connect(1234, "localhost", ar2 -> { + //Should be able to connect + assertTrue(ar2.succeeded()); + testComplete(); + }); + }); + await(); + } + } diff --git a/src/test/resources/tls/ssl.txt b/src/test/resources/tls/ssl.txt index 1066ec0355d..b0c92407b6f 100644 --- a/src/test/resources/tls/ssl.txt +++ b/src/test/resources/tls/ssl.txt @@ -16,6 +16,10 @@ keytool -import -trustcacerts -alias test-store -file localhost.crt -keystore cl keytool -importkeystore -srckeystore client-truststore.jks -destkeystore client-truststore.p12 -deststoretype PKCS12 -keypass wibble -storepass wibble +5) Create a private key + fake certificate for the server in a new key store: + +keytool -genkey -alias test-store -keyalg RSA -keystore fake-server-keystore.jks -keysize 2048 -validity 1095 -dname CN=fake-localhost -keypass wibble -storepass wibble + # PKCS12