|
30 | 30 | import com.rabbitmq.stream.impl.TestUtils.DisabledIfAuthMechanismSslNotEnabled; |
31 | 31 | import com.rabbitmq.stream.impl.TestUtils.DisabledIfTlsNotEnabled; |
32 | 32 | import com.rabbitmq.stream.sasl.DefaultSaslConfiguration; |
33 | | -import io.netty.channel.Channel; |
34 | 33 | import io.netty.handler.ssl.SslContext; |
35 | 34 | import io.netty.handler.ssl.SslContextBuilder; |
36 | | -import io.netty.handler.ssl.SslHandler; |
37 | 35 | import java.io.File; |
38 | 36 | import java.io.FileInputStream; |
39 | 37 | import java.net.InetAddress; |
|
50 | 48 | import java.util.Collections; |
51 | 49 | import java.util.UUID; |
52 | 50 | import java.util.concurrent.CountDownLatch; |
53 | | -import java.util.function.Consumer; |
54 | 51 | import java.util.stream.IntStream; |
55 | 52 | import javax.net.ssl.SNIHostName; |
56 | 53 | import javax.net.ssl.SSLException; |
57 | 54 | import javax.net.ssl.SSLHandshakeException; |
58 | | -import javax.net.ssl.SSLParameters; |
59 | 55 | import org.junit.jupiter.api.Test; |
60 | 56 | import org.junit.jupiter.api.extension.ExtendWith; |
61 | 57 |
|
@@ -192,26 +188,32 @@ void unverifiedConnection() { |
192 | 188 | } |
193 | 189 |
|
194 | 190 | @Test |
195 | | - void unverifiedConnectionWithSni() { |
196 | | - Consumer<Channel> channelCustomizer = |
197 | | - ch -> { |
198 | | - SslHandler sslHandler = ch.pipeline().get(SslHandler.class); |
199 | | - if (sslHandler != null) { |
200 | | - SSLParameters sslParameters = sslHandler.engine().getSSLParameters(); |
201 | | - sslParameters.setServerNames(Collections.singletonList(new SNIHostName("localhost"))); |
202 | | - sslHandler.engine().setSSLParameters(sslParameters); |
203 | | - } |
204 | | - }; |
205 | | - cf.get( |
206 | | - new ClientParameters() |
207 | | - .sslContext(alwaysTrustSslContext()) |
208 | | - .channelCustomizer(channelCustomizer)); |
| 191 | + void verifiedConnectionWithCorrectServerCertificate() throws Exception { |
| 192 | + // in server certificate SAN |
| 193 | + String hostname = "localhost"; |
| 194 | + SslContext context = SslContextBuilder.forClient().trustManager(caCertificate()).build(); |
| 195 | + cf.get(new ClientParameters().host(hostname).sslContext(context)); |
209 | 196 | } |
210 | 197 |
|
211 | 198 | @Test |
212 | | - void verifiedConnectionWithCorrectServerCertificate() throws Exception { |
| 199 | + void verifiedConnectionWithCorrectServerCertificateWithSni() throws Exception { |
| 200 | + // not in server certificate SAN, but setting SNI makes it work |
| 201 | + String hostname = "127.0.0.1"; |
| 202 | + SslContext context = |
| 203 | + SslContextBuilder.forClient() |
| 204 | + .trustManager(caCertificate()) |
| 205 | + .serverName(new SNIHostName("localhost")) |
| 206 | + .build(); |
| 207 | + cf.get(new ClientParameters().host(hostname).sslContext(context)); |
| 208 | + } |
| 209 | + |
| 210 | + @Test |
| 211 | + void verifiedConnectionWithCorrectServerCertificateFailsIfHostnameNotInSan() throws Exception { |
| 212 | + // not in server certificate SAN |
| 213 | + String hostname = "127.0.0.1"; |
213 | 214 | SslContext context = SslContextBuilder.forClient().trustManager(caCertificate()).build(); |
214 | | - cf.get(new ClientParameters().sslContext(context)); |
| 215 | + assertThatThrownBy(() -> cf.get(new ClientParameters().host(hostname).sslContext(context))) |
| 216 | + .hasCauseInstanceOf(SSLHandshakeException.class); |
215 | 217 | } |
216 | 218 |
|
217 | 219 | @Test |
|
0 commit comments