Add client/listener peer authentication properties
This patch provides the following:
1. Adds two new properties, sblim.wbem.sslClientPeerVerification and sblim.wbem.sslListenerPeerVerification, to allow SSL peer authentication to be controlled individually for the JCC's Client and Listener, via global configuration. Previously, whenever the property javax.net.ssl.trustStore was defined globally, peer verification was enabled automatically for both client and listener, even if this was not the user's intent. Now, peer verification is activated for the client or listener only when the respective sslClientPeerVerification or sslListenerPeerVerification property is set.
2. Improves the logging and tracing in HttpServerConnection and HttpSocketFactory. Since HttpSocketFactory is invoked for both the client and listener, it was previously difficult to tell that the trace output pertained to one or the other. Now, keystore and truststore operations are called out specifically for client and listener in the trace.
3. Fixes a bug in the creation of the Client SSLContext where, if the javax.net.ssl.trustStore file was defined but not present or otherwise unreadable, the SSLContext would fall back to a "trust all" TrustManager configuration. This is a potential security problem, assuming it is the user's intent to enable peer verification in this scenario. Now, whenever the sslClientPeerVerification or sslListenerPeerVerification property is set for Client or Listener, if the truststore is not defined, not present or otherwise not readable, the SSLContext will fall back to a "trust none" TrustManager, and a WARNING logger message is given to notify the user of the misconfiguration.
The drawback of this patch is it produces a backward compatibility issue. The introduction of the two new properties to control peer verification breaks compatibility with the previous SSL configuration. Previously, whenever the property javax.net.ssl.trustStore was defined (either globally or at domain-level) peer verification was enabled automatically. Now, it is additionally required to set sblim.wbem.sslClientPeerVerification and/or sblim.wbem.sslListenerPeerVerification to a non-default value, to enable peer verification. No other changes are required; the remaining keystore & truststore properties are compatible. If a legacy user has a keystore configured and fails to set sslClientPeerVerification or sslListenerPeerVerification, no peer authentication is performed (i.e. trust all) and a WARNING logger message is given to notify the user of the condition. This change will have to be well documented to advise legacy SSL users at the point it is introduced the production branch.
Note, there is really no practical way to provide this new feature (i.e. control of peer verification individually for the Client and Listener via global config) without introducing a new property. For example, An alternative would be to introduce new global properties to configure client and listener keystores individually, in a manner corresponding to the JSR48 properties javax.wbem.client.trustStore and javax.wbem.listener.trustStore. But this would also break compatibility (for users currently using the SBLIM properties) in a way that is more intrusive than just adding the new "toggles".
Committed to CVS Experimental. Documentation update to follow.
Documentation updates added.
Patch sent for community review. During a 2 week period any exploiter may comment on the patch, request changes or turn it down completely (with good reason). For the time being the patch is part of the "Experimental" branch in CVS.
Patched a couple of bugs in the new SSLConfigurationTest:
1. In the Windows environment, due to some differences in timing, the last three tests in testWBEMListenerTrust() were throwing SocketException rather than the expected SSLHandshakeException, causing these tests to fail. Fix is to catch SocketException.
2. On some systems, testWBEMClientTrust() and testWBEMListenerTrust() were not working properly because the addListener() call reuses the port, with insufficient time to release it following the previous removeListener(). Rather than add sleeps, just allowed addListener() to chose a random port for each test case.
Also, fixed a minor error in secure_indications.html.
Patch against HEAD
The community review has completed and we received no substantial criticism. Therefore the patch has been approved and merged into the "HEAD" branch. The next release will pick it up.
The patch was picked up by release 2.2.0 and will therefore be closed.
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.