Configure activemq-client to trust any SSL certificate from the broker without verifying it

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Configure activemq-client to trust any SSL certificate from the broker without verifying it

Jiri Danek
Hi,

I need to configure activemq-client not to perform broker cerificate
validation. I need this for testing purposes, because I need to test the
system over SSL, but I do not yet have certificate distribution solved.

In Artemis, with artemis-jms-client, there is verifyHost=false and
trustAll=true connection url properties I can use for this purpose. How do
I achieve the same with ActiveMQ?

Thanks!
--
Jiri Daněk
Reply | Threaded
Open this post in threaded view
|

Re: Configure activemq-client to trust any SSL certificate from the broker without verifying it

christopher.l.shannon
In 5.x it isn't quite as simple.

To trust all you'll need to extend ActiveMQSslConnectionFactory and
override the createTrustManager() method.  This should work:
@Override
protected TrustManager[] createTrustManager() throws Exception {
return new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[] {};
}

public void checkClientTrusted(final X509Certificate[] chain, final String
authType)
throws java.security.cert.CertificateException {
}

public void checkServerTrusted(final X509Certificate[] chain, final String
authType)
throws java.security.cert.CertificateException {
}
} };
}

Another example of this is how you can do this with Netty.  Artemis
achieves this by using the InsecureTrustManagerFactory class that is part
of Netty.  See:

https://github.com/apache/activemq-artemis/blob/master/
artemis-core-client/src/main/java/org/apache/activemq/
artemis/core/remoting/impl/ssl/SSLSupport.java
https://github.com/netty/netty/blob/4.1/handler/src/
main/java/io/netty/handler/ssl/util/InsecureTrustManagerFactory.java


To disable verifying host name you need to override the hostname verifier.
You could override the createTransport method.  I think something like this
would work:

@Override
protected Transport createTransport() throws JMSException {

final HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
};

// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);

return super.createTransport();
}


On Wed, Nov 29, 2017 at 5:52 AM, Jiri Danek <[hidden email]> wrote:

> Hi,
>
> I need to configure activemq-client not to perform broker cerificate
> validation. I need this for testing purposes, because I need to test the
> system over SSL, but I do not yet have certificate distribution solved.
>
> In Artemis, with artemis-jms-client, there is verifyHost=false and
> trustAll=true connection url properties I can use for this purpose. How do
> I achieve the same with ActiveMQ?
>
> Thanks!
> --
> Jiri Daněk
>
Reply | Threaded
Open this post in threaded view
|

Re: Configure activemq-client to trust any SSL certificate from the broker without verifying it

Jiri Danek
Thank you for your advice. I ended up also looking at
https://stackoverflow.com/questions/16747902/setting-trust-store-programatically-in-activemqsslconnectionfactory-seems-to-fai
and also
https://github.com/apache/activemq/blob/master/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/joram/JoramJmsNioPlusSslTest.java
and I did it the way the test in the second link does it.

try {
    SSLContext def;
    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(new KeyManager[0], new TrustManager[]{new
TrustingTrustManager()}, null);
    def = SSLContext.getDefault();
    SSLContext.setDefault(ctx);
} catch (NoSuchAlgorithmException | KeyManagementException e) {
    throw new RuntimeException("Could not set up the all-trusting
TrustManager", e);
}

/**
* Does not do any checking. Trusts all certificates.
*/
private class TrustingTrustManager implements X509TrustManager {
    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates,
String s) throws CertificateException {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates,
String s) throws CertificateException {
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}

Thank you all for your help.
--
Jiri Daněk