Start admin console and http binding even with invalid certificates. JM-968

git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@7056 b35dd754-fafc-0310-a699-88a17e54d16e

src/java/org/jivesoftware/util/CertificateManager.java

@@ -278,7 +278,7 @@ public class CertificateManager {
      * Returns true if a certificate with the specifed configuration was found in the key store.
      *
      * @param ksKeys the keystore to use for searching the certificate.
-     * @param domain the domain present in the subjectAltName.
+     * @param domain the domain present in the subjectAltName or "*" if anything is accepted.
      * @param algorithm the DSA or RSA algorithm used by the certificate.
      * @return true if a certificate with the specifed configuration was found in the key store.
      * @throws KeyStoreException
@@ -286,11 +286,20 @@ public class CertificateManager {
     private static boolean isCertificate(KeyStore ksKeys, String domain, String algorithm) throws KeyStoreException {
         for (Enumeration<String> aliases = ksKeys.aliases(); aliases.hasMoreElements();) {
             X509Certificate certificate = (X509Certificate) ksKeys.getCertificate(aliases.nextElement());
-            for (String identity : getPeerIdentities(certificate)) {
-                if (identity.endsWith(domain) && certificate.getPublicKey().getAlgorithm().equals(algorithm)) {
+            if ("*".equals(domain)) {
+                // Any domain certified by the certificate is accepted
+                if (certificate.getPublicKey().getAlgorithm().equals(algorithm)) {
                     return true;
                 }
             }
+            else {
+                // Only accept certified domains that match the specified domain
+                for (String identity : getPeerIdentities(certificate)) {
+                    if (identity.endsWith(domain) && certificate.getPublicKey().getAlgorithm().equals(algorithm)) {
+                        return true;
+                    }
+                }
+            }
         }
         return false;
     }

src/java/org/jivesoftware/wildfire/container/AdminConsolePlugin.java

@@ -92,9 +92,13 @@ public class AdminConsolePlugin implements Plugin {
 
         // Create a connector for https traffic if it's enabled.
         try {
-            if (adminSecurePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getKeyStore(),
-                        XMPPServer.getInstance().getServerInfo().getName()))
+            if (adminSecurePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getKeyStore(), "*"))
             {
+                if (!CertificateManager.isRSACertificate(SSLConfig.getKeyStore(),
+                        XMPPServer.getInstance().getServerInfo().getName())) {
+                    Log.warn("Admin console: Using RSA certificates but they are not valid for the hosted domain");
+                }
+                         
                 JiveSslConnector httpsConnector = new JiveSslConnector();
                 String interfaceName = JiveGlobals.getXMLProperty("network.interface");
                 String bindInterface = null;

src/java/org/jivesoftware/wildfire/http/HttpBindManager.java

@@ -129,8 +129,12 @@ public final class HttpBindManager {
 
     private Connector createSSLConnector(int securePort) {
         try {
-            if (securePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getKeyStore(),
-                    XMPPServer.getInstance().getServerInfo().getName())) {
+            if (securePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getKeyStore(), "*")) {
+                if (!CertificateManager.isRSACertificate(SSLConfig.getKeyStore(),
+                        XMPPServer.getInstance().getServerInfo().getName())) {
+                    Log.warn("HTTP binding: Using RSA certificates but they are not valid for the hosted domain");
+                }
+
                 SslSocketConnector sslConnector = new JiveSslConnector();
                 sslConnector.setHost(getBindInterface());
                 sslConnector.setPort(securePort);