Commit 2b57174d authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato

Fixed TLS for s2s. JM-1206

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@9636 b35dd754-fafc-0310-a699-88a17e54d16e
parent 970100f2
...@@ -290,14 +290,22 @@ public interface Connection { ...@@ -290,14 +290,22 @@ public interface Connection {
PacketDeliverer getPacketDeliverer(); PacketDeliverer getPacketDeliverer();
/** /**
* Secures the plain connection by negotiating TLS with the client. When connecting * Secures the plain connection by negotiating TLS with the other peer. In a server-2-server
* to a remote server then <tt>clientMode</tt> will be <code>true</code> and * connection the server requesting the TLS negotiation will be the client and the other server
* <tt>remoteServer</tt> is the server name of the remote server. Otherwise <tt>clientMode</tt> * will be the server during the TLS negotiation. Therefore, the server requesting the TLS
* will be <code>false</code> and <tt>remoteServer</tt> null. * negotiation must pass <code>true</code> in the <tt>clientMode</tt> parameter and the server
* * receiving the TLS request must pass <code>false</code> in the <tt>clientMode</tt> parameter.
* @param clientMode boolean indicating if this entity is a client or a server. * Both servers should specify the xmpp domain of the other server in the <tt>remoteServer</tt>
* @param remoteServer server name of the remote server we are connecting to or <tt>null</tt> * parameter.<p>
* when not in client mode. *
* In the case of client-2-server the XMPP server must pass <code>false</code> in the
* <tt>clientMode</tt> parameter since it will behave as the server in the TLS negotiation. The
* <tt>remoteServer</tt> parameter will always be <tt>null</tt>.
*
* @param clientMode boolean indicating if this entity is a client or a server in the TLS negotiation.
* @param remoteServer xmpp domain of the remote server or <tt>null</tt>. When null a
* {@link org.jivesoftware.openfire.net.ClientTrustManager} will be used for verifying certificates
* otherwise a {@link org.jivesoftware.openfire.net.ServerTrustManager} will be used.
* @param authentication policy to use for authenticating the remote peer. * @param authentication policy to use for authenticating the remote peer.
* @throws Exception if an error occured while securing the connection. * @throws Exception if an error occured while securing the connection.
*/ */
......
...@@ -133,6 +133,7 @@ public class MultiplexerStanzaHandler extends StanzaHandler { ...@@ -133,6 +133,7 @@ public class MultiplexerStanzaHandler extends StanzaHandler {
} }
void startTLS() throws Exception { void startTLS() throws Exception {
connection.startTLS(false, null, Connection.ClientAuth.disabled); // TODO Finish implementation. We need to get the name of the CM if we want to validate certificates of the CM that requested TLS
connection.startTLS(false, "IMPLEMENT_ME", Connection.ClientAuth.disabled);
} }
} }
...@@ -15,8 +15,8 @@ import org.jivesoftware.openfire.Connection; ...@@ -15,8 +15,8 @@ import org.jivesoftware.openfire.Connection;
import org.jivesoftware.openfire.PacketRouter; import org.jivesoftware.openfire.PacketRouter;
import org.jivesoftware.openfire.auth.UnauthorizedException; import org.jivesoftware.openfire.auth.UnauthorizedException;
import org.jivesoftware.openfire.session.LocalIncomingServerSession; import org.jivesoftware.openfire.session.LocalIncomingServerSession;
import org.jivesoftware.util.Log;
import org.jivesoftware.util.JiveGlobals; import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.Log;
import org.xmlpull.v1.XmlPullParser; import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlPullParserException; import org.xmlpull.v1.XmlPullParserException;
import org.xmpp.packet.*; import org.xmpp.packet.*;
...@@ -84,12 +84,12 @@ public class ServerStanzaHandler extends StanzaHandler { ...@@ -84,12 +84,12 @@ public class ServerStanzaHandler extends StanzaHandler {
} }
void startTLS() throws Exception { void startTLS() throws Exception {
// TODO Finish implementation. We need to get the name of the remote server!?!? // TODO Finish implementation. We need to get the name of the remote server if we want to validate certificates of the remote server that requested TLS
boolean needed = JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify", true) && boolean needed = JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify", true) &&
JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.chain", true) && JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.chain", true) &&
!JiveGlobals.getBooleanProperty("xmpp.server.certificate.accept-selfsigned", false); !JiveGlobals.getBooleanProperty("xmpp.server.certificate.accept-selfsigned", false);
connection.startTLS(true, "IMPLEMENT_ME", needed ? Connection.ClientAuth.needed : Connection.ClientAuth.wanted); connection.startTLS(false, "IMPLEMENT_ME", needed ? Connection.ClientAuth.needed : Connection.ClientAuth.wanted);
} }
protected void processIQ(IQ packet) throws UnauthorizedException { protected void processIQ(IQ packet) throws UnauthorizedException {
packetReceived(packet); packetReceived(packet);
......
...@@ -69,7 +69,8 @@ abstract class SocketReadingMode { ...@@ -69,7 +69,8 @@ abstract class SocketReadingMode {
} }
// Client requested to secure the connection using TLS. Negotiate TLS. // Client requested to secure the connection using TLS. Negotiate TLS.
try { try {
socketReader.connection.startTLS(false, null, Connection.ClientAuth.disabled); // Temporary workaround to force the usage of ServerTrustManager. This code is only used for s2s
socketReader.connection.startTLS(false, "IMPLEMENT_ME", Connection.ClientAuth.disabled);
} }
catch (IOException e) { catch (IOException e) {
Log.error("Error while negotiating TLS: " + socketReader.connection, e); Log.error("Error while negotiating TLS: " + socketReader.connection, e);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment