ENT-9806: Added peer info to SSL handshake logging, and other changes for ENT merge (#7380)

node-api/src/main/kotlin/net/corda/nodeapi/internal/ArtemisTcpTransport.kt

@@ -85,7 +85,7 @@ class ArtemisTcpTransport {
 
         fun p2pAcceptorTcpTransport(hostAndPort: NetworkHostAndPort,
                                     config: MutualSslConfiguration?,
-                                    trustManagerFactory: TrustManagerFactory?,
+                                    trustManagerFactory: TrustManagerFactory? = config?.trustStore?.get()?.let(::trustManagerFactory),
                                     enableSSL: Boolean = true,
                                     threadPoolName: String = "P2PServer",
                                     trace: Boolean = false,

node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/SSLHelper.kt

@@ -305,9 +305,11 @@ internal fun splitKeystore(config: AMQPConfiguration): Map<String, CertHoldingKe
 
 // As per Javadoc in: https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/KeyManagerFactory.html `init` method
 // 2nd parameter `password` - the password for recovering keys in the KeyStore
+fun KeyManagerFactory.init(keyStore: CertificateStore) = init(keyStore.value.internal, keyStore.entryPassword.toCharArray())
+
 fun keyManagerFactory(keyStore: CertificateStore): KeyManagerFactory {
     val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
-    keyManagerFactory.init(keyStore.value.internal, keyStore.entryPassword.toCharArray())
+    keyManagerFactory.init(keyStore)
     return keyManagerFactory
 }
 

node/src/integration-test/kotlin/net/corda/services/messaging/SimpleAMQPClient.kt

@@ -3,6 +3,8 @@ package net.corda.services.messaging
 import net.corda.core.internal.concurrent.openFuture
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.nodeapi.internal.config.MutualSslConfiguration
+import net.corda.nodeapi.internal.protonwrapper.netty.keyManagerFactory
+import net.corda.nodeapi.internal.protonwrapper.netty.trustManagerFactory
 import org.apache.qpid.jms.JmsConnectionFactory
 import org.apache.qpid.jms.meta.JmsConnectionInfo
 import org.apache.qpid.jms.provider.Provider
@@ -24,9 +26,7 @@ import javax.jms.Connection
 import javax.jms.Message
 import javax.jms.MessageProducer
 import javax.jms.Session
-import javax.net.ssl.KeyManagerFactory
 import javax.net.ssl.SSLContext
-import javax.net.ssl.TrustManagerFactory
 
 /**
  * Simple AMQP client connecting to broker using JMS.
@@ -59,12 +59,8 @@ class SimpleAMQPClient(private val target: NetworkHostAndPort, private val confi
     private lateinit var connection: Connection
 
     private fun sslContext(): SSLContext {
-        val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()).apply {
+        val keyManagerFactory = keyManagerFactory(config.keyStore.get())
-            init(config.keyStore.get().value.internal, config.keyStore.entryPassword.toCharArray())
+        val trustManagerFactory = trustManagerFactory(config.trustStore.get())
-        }
-        val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).apply {
-            init(config.trustStore.get().value.internal)
-        }
         val sslContext = SSLContext.getInstance("TLS")
         val keyManagers = keyManagerFactory.keyManagers
         val trustManagers = trustManagerFactory.trustManagers

node/src/main/kotlin/net/corda/node/services/messaging/NodeNettyAcceptorFactory.kt

@@ -31,6 +31,7 @@ import org.apache.activemq.artemis.spi.core.remoting.BufferHandler
 import org.apache.activemq.artemis.spi.core.remoting.ServerConnectionLifeCycleListener
 import org.apache.activemq.artemis.utils.ConfigurationHelper
 import org.apache.activemq.artemis.utils.actors.OrderedExecutor
+import java.net.SocketAddress
 import java.nio.channels.ClosedChannelException
 import java.nio.file.Paths
 import java.security.PrivilegedExceptionAction
@@ -41,6 +42,7 @@ import java.util.regex.Pattern
 import javax.net.ssl.KeyManagerFactory
 import javax.net.ssl.SSLContext
 import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLPeerUnverifiedException
 import javax.net.ssl.TrustManagerFactory
 import javax.security.auth.Subject
 
@@ -231,7 +233,7 @@ class NodeNettyAcceptorFactory : AcceptorFactory {
         }
 
         override fun handlerAdded(ctx: ChannelHandlerContext) {
-            logHandshake()
+            logHandshake(ctx.channel().remoteAddress())
             super.handlerAdded(ctx)
             // Unfortunately NettyAcceptor does not let us add extra child handlers, so we have to add our logger this way.
             if (trace) {
@@ -239,17 +241,22 @@ class NodeNettyAcceptorFactory : AcceptorFactory {
             }
         }
 
-        private fun logHandshake() {
+        private fun logHandshake(remoteAddress: SocketAddress) {
             val start = System.currentTimeMillis()
             handshakeFuture().addListener {
                 val duration = System.currentTimeMillis() - start
+                val peer = try {
+                    engine().session.peerPrincipal
+                } catch (e: SSLPeerUnverifiedException) {
+                    remoteAddress
+                }
                 when {
-                    it.isSuccess -> logger.info("SSL handshake completed in ${duration}ms with ${engine().session.peerPrincipal}")
+                    it.isSuccess -> logger.info("SSL handshake completed in ${duration}ms with $peer")
-                    it.isCancelled -> logger.warn("SSL handshake cancelled after ${duration}ms")
+                    it.isCancelled -> logger.warn("SSL handshake cancelled after ${duration}ms with $peer")
                     else -> when (it.cause()) {
-                        is ClosedChannelException -> logger.warn("SSL handshake closed early after ${duration}ms")
+                        is ClosedChannelException -> logger.warn("SSL handshake closed early after ${duration}ms with $peer")
-                        is SslHandshakeTimeoutException -> logger.warn("SSL handshake timed out after ${duration}ms")
+                        is SslHandshakeTimeoutException -> logger.warn("SSL handshake timed out after ${duration}ms with $peer")
-                        else -> logger.warn("SSL handshake failed after ${duration}ms", it.cause())
+                        else -> logger.warn("SSL handshake failed after ${duration}ms with $peer", it.cause())
                     }
                 }
             }