3 Replies Latest reply on Nov 1, 2010 10:13 AM by timfox

    Securing NettyConnector with SSL, no server SSL check

    hmr_mueller

      When configuring HornetQ to use SSL and define the NettyConnector with sslenabled=true, the server certificate is not checked when making the connection form the client (using the connection factory from JNDI).

      It seems to me, that this is had coded in the SSLSupport class in package org.hornetq.remoting.impl.ssl since the trustmanager is defined as follows:

       

      private static TrustManager[] loadTrustManager(final boolean clientMode,

                                                        final String trustStorePath,

                                                        final String trustStorePassword) throws Exception

         {

            if (clientMode)

            {

               // we are in client mode and do not want to perform server cert

               // authentication

               // return a trust manager that trusts all certs

               return new TrustManager[] { new X509TrustManager()

               {

                  public void checkClientTrusted(final X509Certificate[] chain, final String authType)

                  {

                  }

       

                  public void checkServerTrusted(final X509Certificate[] chain, final String authType)

                  {

                  }

       

                  public X509Certificate[] getAcceptedIssuers()

                  {

                     return null;

                  }

               } };

            }

            else ...

       

      Using SSL I'd like to check the server certificate during the handshake to be sure to talk to the correct server and protect against man in the middle attacks.

      How can this be done? Is the only way to write your own ConnectorFactory which enables that?

       

      Thanks!