mirror of
https://github.com/corda/corda.git
synced 2025-06-14 13:18:18 +00:00
CORDA-2935: Align timeouts for CRL retrieval and TLS handshake (#5125)
This commit is contained in:
Viktor Kolomeyko
committed by
Matthew Nesbit
Matthew Nesbit
parent
2ed877eb2f
commit
355604457f
@ -19,6 +19,8 @@ import java.util.*
|
|||||||
import javax.net.ssl.*
|
import javax.net.ssl.*
|
||||||
|
|
||||||
private const val HOSTNAME_FORMAT = "%s.corda.net"
|
private const val HOSTNAME_FORMAT = "%s.corda.net"
|
||||||
|
private const val SSL_HANDSHAKE_TIMEOUT_PROP_NAME = "corda.netty.sslHelper.handshakeTimeout"
|
||||||
|
private const val DEFAULT_SSL_TIMEOUT = 20000 // Aligned with sun.security.provider.certpath.URICertStore.DEFAULT_CRL_CONNECT_TIMEOUT
|
||||||
|
|
||||||
internal class LoggingTrustManagerWrapper(val wrapped: X509ExtendedTrustManager) : X509ExtendedTrustManager() {
|
internal class LoggingTrustManagerWrapper(val wrapped: X509ExtendedTrustManager) : X509ExtendedTrustManager() {
|
||||||
companion object {
|
companion object {
|
||||||
@ -123,7 +125,9 @@ internal fun createClientSslHelper(target: NetworkHostAndPort,
|
|||||||
sslParameters.serverNames = listOf(SNIHostName(x500toHostName(expectedRemoteLegalNames.single())))
|
sslParameters.serverNames = listOf(SNIHostName(x500toHostName(expectedRemoteLegalNames.single())))
|
||||||
sslEngine.sslParameters = sslParameters
|
sslEngine.sslParameters = sslParameters
|
||||||
}
|
}
|
||||||
return SslHandler(sslEngine)
|
val sslHandler = SslHandler(sslEngine)
|
||||||
|
sslHandler.handshakeTimeoutMillis = Integer.getInteger(SSL_HANDSHAKE_TIMEOUT_PROP_NAME, DEFAULT_SSL_TIMEOUT).toLong()
|
||||||
|
return sslHandler
|
||||||
}
|
}
|
||||||
|
|
||||||
internal fun createServerSslHelper(keyManagerFactory: KeyManagerFactory,
|
internal fun createServerSslHelper(keyManagerFactory: KeyManagerFactory,
|
||||||
@ -138,7 +142,9 @@ internal fun createServerSslHelper(keyManagerFactory: KeyManagerFactory,
|
|||||||
sslEngine.enabledProtocols = ArtemisTcpTransport.TLS_VERSIONS.toTypedArray()
|
sslEngine.enabledProtocols = ArtemisTcpTransport.TLS_VERSIONS.toTypedArray()
|
||||||
sslEngine.enabledCipherSuites = ArtemisTcpTransport.CIPHER_SUITES.toTypedArray()
|
sslEngine.enabledCipherSuites = ArtemisTcpTransport.CIPHER_SUITES.toTypedArray()
|
||||||
sslEngine.enableSessionCreation = true
|
sslEngine.enableSessionCreation = true
|
||||||
return SslHandler(sslEngine)
|
val sslHandler = SslHandler(sslEngine)
|
||||||
|
sslHandler.handshakeTimeoutMillis = Integer.getInteger(SSL_HANDSHAKE_TIMEOUT_PROP_NAME, DEFAULT_SSL_TIMEOUT).toLong()
|
||||||
|
return sslHandler
|
||||||
}
|
}
|
||||||
|
|
||||||
internal fun initialiseTrustStoreAndEnableCrlChecking(trustStore: CertificateStore, crlCheckSoftFail: Boolean): ManagerFactoryParameters {
|
internal fun initialiseTrustStoreAndEnableCrlChecking(trustStore: CertificateStore, crlCheckSoftFail: Boolean): ManagerFactoryParameters {
|
||||||
|
|||||||
@ -83,6 +83,9 @@ class CertificateRevocationListNodeTests {
|
|||||||
private abstract class AbstractNodeConfiguration : NodeConfiguration
|
private abstract class AbstractNodeConfiguration : NodeConfiguration
|
||||||
|
|
||||||
companion object {
|
companion object {
|
||||||
|
|
||||||
|
const val FORBIDDEN_CRL = "forbidden.crl"
|
||||||
|
|
||||||
fun createRevocationList(clrServer: CrlServer, signatureAlgorithm: String, caCertificate: X509Certificate,
|
fun createRevocationList(clrServer: CrlServer, signatureAlgorithm: String, caCertificate: X509Certificate,
|
||||||
caPrivateKey: PrivateKey,
|
caPrivateKey: PrivateKey,
|
||||||
endpoint: String,
|
endpoint: String,
|
||||||
@ -493,6 +496,13 @@ class CertificateRevocationListNodeTests {
|
|||||||
.build()
|
.build()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@GET
|
||||||
|
@Path(FORBIDDEN_CRL)
|
||||||
|
@Produces("application/pkcs7-crl")
|
||||||
|
fun getNodeSlowCRL(): Response {
|
||||||
|
return Response.status(Response.Status.FORBIDDEN).build()
|
||||||
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@Path("intermediate.crl")
|
@Path("intermediate.crl")
|
||||||
@Produces("application/pkcs7-crl")
|
@Produces("application/pkcs7-crl")
|
||||||
@ -588,4 +598,33 @@ class CertificateRevocationListNodeTests {
|
|||||||
)
|
)
|
||||||
}.withMessage("Unknown signature type requested: EC")
|
}.withMessage("Unknown signature type requested: EC")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun `AMPQ Client to Server connection succeeds when CRL retrieval is forbidden and soft fail is enabled`() {
|
||||||
|
val crlCheckSoftFail = true
|
||||||
|
val forbiddenUrl = "http://${server.hostAndPort}/crl/$FORBIDDEN_CRL"
|
||||||
|
val (amqpServer, _) = createServer(
|
||||||
|
serverPort,
|
||||||
|
crlCheckSoftFail = crlCheckSoftFail,
|
||||||
|
nodeCrlDistPoint = forbiddenUrl,
|
||||||
|
tlsCrlDistPoint = forbiddenUrl)
|
||||||
|
amqpServer.use {
|
||||||
|
amqpServer.start()
|
||||||
|
amqpServer.onReceive.subscribe {
|
||||||
|
it.complete(true)
|
||||||
|
}
|
||||||
|
val (amqpClient, _) = createClient(
|
||||||
|
serverPort,
|
||||||
|
crlCheckSoftFail,
|
||||||
|
nodeCrlDistPoint = forbiddenUrl,
|
||||||
|
tlsCrlDistPoint = forbiddenUrl)
|
||||||
|
amqpClient.use {
|
||||||
|
val serverConnected = amqpServer.onConnection.toFuture()
|
||||||
|
amqpClient.onConnection.toFuture()
|
||||||
|
amqpClient.start()
|
||||||
|
val serverConnect = serverConnected.get()
|
||||||
|
assertEquals(true, serverConnect.connected)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user