Skip to content

Commit

Permalink
Merge pull request #875 from stokito/direct_tls
Browse files Browse the repository at this point in the history 
Refactor: rename the confusing "Old SSL" to "Direct TLS"
  • Loading branch information
@Plyha
Plyha authored Aug 24, 2024
2 parents b53b814 + 6ee0092 commit 3da5d35
Show file tree
Hide file tree
Showing 5 changed files with 118 additions and 121 deletions.
76 changes: 41 additions & 35 deletions core/src/main/java/org/jivesoftware/AccountCreationWizard.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;

import static org.jivesoftware.sparkimpl.certificates.SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;

/**
* Allows the creation of accounts on an XMPP server.
*/
Expand Down Expand Up @@ -347,7 +349,7 @@ private XMPPConnection getConnection() throws SmackException, IOException, XMPPE
}

ConnectionConfiguration.SecurityMode securityMode = localPreferences.getSecurityMode();
boolean useOldSSL = localPreferences.isSSL();
boolean useDirectTls = localPreferences.isDirectTls();
boolean hostPortConfigured = localPreferences.isHostAndPortConfigured();

final XMPPTCPConnectionConfiguration.Builder builder = XMPPTCPConnectionConfiguration.builder()
Expand All @@ -361,40 +363,7 @@ private XMPPConnection getConnection() throws SmackException, IOException, XMPPE
{
builder.setHost( localPreferences.getXmppHost() );
}

if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useOldSSL) {
// This use STARTTLS which starts initially plain connection to upgrade it to TLS, it use the same port as
// plain connections which is 5222.
try {
SSLContext context = SparkSSLContextCreator.setUpContext(SparkSSLContextCreator.Options.ONLY_SERVER_SIDE);
builder.setSslContextFactory(() -> { return context; });
builder.setSecurityMode( securityMode );
builder.setCustomX509TrustManager(new SparkTrustManager());
} catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException | NoSuchProviderException e) {
Log.warning("Couldnt establish secured connection", e);
}
}

if ( securityMode != ConnectionConfiguration.SecurityMode.disabled && useOldSSL )
{
if (!hostPortConfigured) {
// SMACK 4.1.9 does not support XEP-0368, and does not apply a port change, if the host is not changed too.
// Here, we force the host to be set (by doing a DNS lookup), and force the port to 5223 (which is the
// default 'old-style' SSL port).
DnsName serverNameDnsName = DnsName.from(serverName);
java.util.List<InetAddress> resolvedAddresses = DNSUtil.getDNSResolver().lookupHostAddress(serverNameDnsName, null, DnssecMode.disabled);
if (resolvedAddresses.isEmpty()) {
throw new SmackException.SmackMessageException("Could not resolve " + serverNameDnsName);
}
builder.setHost( resolvedAddresses.get( 0 ).getHostName() );
builder.setPort( 5223 );
}
builder.setSocketFactory( new SparkSSLSocketFactory(SparkSSLContextCreator.Options.ONLY_SERVER_SIDE) );
// SMACK 4.1.9 does not recognize an 'old-style' SSL socket as being secure, which will cause a failure when
// the 'required' Security Mode is defined. Here, we work around this by replacing that security mode with an
// 'if-possible' setting.
builder.setSecurityMode( ConnectionConfiguration.SecurityMode.ifpossible );
}
configureConnectionTls(builder, securityMode, useDirectTls, hostPortConfigured, serverName);

final XMPPTCPConnectionConfiguration configuration = builder.build();

Expand All @@ -409,6 +378,43 @@ private XMPPConnection getConnection() throws SmackException, IOException, XMPPE
return connection;
}

private void configureConnectionTls(XMPPTCPConnectionConfiguration.Builder builder, ConnectionConfiguration.SecurityMode securityMode, boolean useDirectTls, boolean hostPortConfigured, String serverName) throws SmackException.SmackMessageException {
if (securityMode != ConnectionConfiguration.SecurityMode.disabled) {
if (!useDirectTls) {
// This use STARTTLS which starts initially plain connection to upgrade it to TLS, it use the same port as
// plain connections which is 5222.
SparkSSLContextCreator.Options options = ONLY_SERVER_SIDE;
try {
SSLContext context = SparkSSLContextCreator.setUpContext(options);
builder.setSslContextFactory(() -> context);
builder.setSecurityMode(securityMode);
builder.setCustomX509TrustManager(new SparkTrustManager());
} catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException | NoSuchProviderException e) {
Log.warning("Could not establish secured connection", e);
}
} else { // useDirectTls
if (!hostPortConfigured) {
// SMACK 4.1.9 does not support XEP-0368, and does not apply a port change, if the host is not changed too.
// Here, we force the host to be set (by doing a DNS lookup), and force the port to 5223 (which is the
// default 'old-style' SSL port).
DnsName serverNameDnsName = DnsName.from(serverName);
java.util.List<InetAddress> resolvedAddresses = DNSUtil.getDNSResolver().lookupHostAddress(serverNameDnsName, null, DnssecMode.disabled);
if (resolvedAddresses.isEmpty()) {
throw new SmackException.SmackMessageException("Could not resolve " + serverNameDnsName);
}
builder.setHost( resolvedAddresses.get( 0 ).getHostName() );
builder.setPort( 5223 );
}
SparkSSLContextCreator.Options options = ONLY_SERVER_SIDE;
builder.setSocketFactory( new SparkSSLSocketFactory(options) );
// SMACK 4.1.9 does not recognize an 'old-style' SSL socket as being secure, which will cause a failure when
// the 'required' Security Mode is defined. Here, we work around this by replacing that security mode with an
// 'if-possible' setting.
builder.setSecurityMode( ConnectionConfiguration.SecurityMode.ifpossible );
}
}
}

/**
* Returns true if the user is registered.
*
Expand Down
100 changes: 46 additions & 54 deletions core/src/main/java/org/jivesoftware/LoginDialog.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,8 @@
import java.util.List;

import static org.jivesoftware.spark.util.StringUtils.modifyWildcards;
import static org.jivesoftware.sparkimpl.certificates.SparkSSLContextCreator.Options.BOTH;
import static org.jivesoftware.sparkimpl.certificates.SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;

/**
* Dialog to log in a user into the Spark Server. The LoginDialog is used only
Expand Down Expand Up @@ -230,7 +232,7 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
}

ConnectionConfiguration.SecurityMode securityMode = localPref.getSecurityMode();
boolean useOldSSL = localPref.isSSL();
boolean useDirectTls = localPref.isDirectTls();
boolean hostPortConfigured = localPref.isHostAndPortConfigured();

ProxyInfo proxyInfo = null;
Expand Down Expand Up @@ -276,9 +278,6 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
.setCompressionEnabled(localPref.isCompressionEnabled())
.setSecurityMode(securityMode);

if (securityMode != ConnectionConfiguration.SecurityMode.disabled && localPref.isDisableHostnameVerification()) {
TLSUtils.disableHostnameVerificationForTlsCertificates(builder);
}
if (localPref.isDebuggerEnabled()) {
builder.enableDefaultDebugger();
}
Expand All @@ -290,55 +289,7 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
if (localPref.isProxyEnabled()) {
builder.setProxyInfo(proxyInfo);
}

if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useOldSSL) {
// This use STARTTLS which starts initially plain connection to upgrade it to TLS, it use the same port as
// plain connections which is 5222.
SparkSSLContextCreator.Options options;
if (localPref.isAllowClientSideAuthentication()) {
options = SparkSSLContextCreator.Options.BOTH;
} else {
options = SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;
}
try {
SSLContext context = SparkSSLContextCreator.setUpContext(options);
builder.setSslContextFactory(() -> { return context; });
builder.setSecurityMode(securityMode);
builder.setCustomX509TrustManager(new SparkTrustManager());
} catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException | NoSuchProviderException e) {
Log.warning("Couldnt establish secured connection", e);
}
}

if (securityMode != ConnectionConfiguration.SecurityMode.disabled && useOldSSL) {
if (!hostPortConfigured) {
// SMACK 4.1.9 does not support XEP-0368, and does not apply a port change, if the host is not changed too.
// Here, we force the host to be set (by doing a DNS lookup), and force the port to 5223 (which is the
// default 'old-style' SSL port).
DnsName serverNameDnsName = DnsName.from(loginServer);
java.util.List<InetAddress> resolvedAddresses = DNSUtil.getDNSResolver().lookupHostAddress(serverNameDnsName, null, DnssecMode.disabled);
if (resolvedAddresses.isEmpty()) {
throw new RuntimeException("Could not resolve " + serverNameDnsName);
}
builder.setHost(resolvedAddresses.get(0).getHostName());
builder.setPort(5223);
}
SparkSSLContextCreator.Options options;
if (localPref.isAllowClientSideAuthentication()) {
options = SparkSSLContextCreator.Options.BOTH;
} else {
options = SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;
}
builder.setSocketFactory(new SparkSSLSocketFactory(options));
// SMACK 4.1.9 does not recognize an 'old-style' SSL socket as being secure, which will cause a failure when
// the 'required' Security Mode is defined. Here, we work around this by replacing that security mode with an
// 'if-possible' setting.
builder.setSecurityMode(ConnectionConfiguration.SecurityMode.ifpossible);
}

if (securityMode != ConnectionConfiguration.SecurityMode.disabled) {
SASLAuthentication.registerSASLMechanism(new SASLExternalMechanism());
}
configureConnectionTls(builder, securityMode, useDirectTls, hostPortConfigured, loginServer);

// SPARK-1747: Don't use the GSS-API SASL mechanism when SSO is disabled.
SASLAuthentication.unregisterSASLMechanism(SASLGSSAPIMechanism.class.getName());
Expand Down Expand Up @@ -369,6 +320,47 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
return builder.build();
}

private void configureConnectionTls(XMPPTCPConnectionConfiguration.Builder builder, ConnectionConfiguration.SecurityMode securityMode, boolean useDirectTls, boolean hostPortConfigured, String serverName) {
if (securityMode != ConnectionConfiguration.SecurityMode.disabled) {
if (localPref.isDisableHostnameVerification()) {
TLSUtils.disableHostnameVerificationForTlsCertificates(builder);
}
if (!useDirectTls) {
// This use STARTTLS which starts initially plain connection to upgrade it to TLS, it use the same port as
// plain connections which is 5222.
SparkSSLContextCreator.Options options = localPref.isAllowClientSideAuthentication() ? BOTH : ONLY_SERVER_SIDE;
try {
SSLContext context = SparkSSLContextCreator.setUpContext(options);
builder.setSslContextFactory(() -> context);
builder.setSecurityMode(securityMode);
builder.setCustomX509TrustManager(new SparkTrustManager());
} catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException | NoSuchProviderException e) {
Log.warning("Could not establish secured connection", e);
}
} else { // useDirectTls
if (!hostPortConfigured) {
// SMACK 4.1.9 does not support XEP-0368, and does not apply a port change, if the host is not changed too.
// Here, we force the host to be set (by doing a DNS lookup), and force the port to 5223 (which is the
// default 'old-style' SSL port).
DnsName serverNameDnsName = DnsName.from(serverName);
java.util.List<InetAddress> resolvedAddresses = DNSUtil.getDNSResolver().lookupHostAddress(serverNameDnsName, null, DnssecMode.disabled);
if (resolvedAddresses.isEmpty()) {
throw new RuntimeException("Could not resolve " + serverNameDnsName);
}
builder.setHost(resolvedAddresses.get(0).getHostName());
builder.setPort(5223);
}
SparkSSLContextCreator.Options options = localPref.isAllowClientSideAuthentication() ? BOTH : ONLY_SERVER_SIDE;
builder.setSocketFactory(new SparkSSLSocketFactory(options));
// SMACK 4.1.9 does not recognize an 'old-style' SSL socket as being secure, which will cause a failure when
// the 'required' Security Mode is defined. Here, we work around this by replacing that security mode with an
// 'if-possible' setting.
builder.setSecurityMode(ConnectionConfiguration.SecurityMode.ifpossible);
}
SASLAuthentication.registerSASLMechanism(new SASLExternalMechanism());
}
}

/**
* Define Login Panel implementation.
*/
Expand Down Expand Up @@ -1619,7 +1611,7 @@ private void initAdvancedDefaults() {
// localPref.setProxyUsername("");
localPref.setResource(localPref.getResource());
localPref.setSaslGssapiSmack3Compatible(localPref.isSaslGssapiSmack3Compatible());
localPref.setSSL(localPref.isSSL());
localPref.setDirectTls(localPref.isDirectTls());
localPref.setSecurityMode(localPref.getSecurityMode());
localPref.setSSOEnabled(localPref.isSSOEnabled());
localPref.setSSOMethod("file");
Expand Down
8 changes: 4 additions & 4 deletions core/src/main/java/org/jivesoftware/gui/LoginUIPanel.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -689,7 +689,7 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
}

ConnectionConfiguration.SecurityMode securityMode = localPref.getSecurityMode();
boolean useOldSSL = localPref.isSSL();
boolean useDirectTls = localPref.isDirectTls();
boolean hostPortConfigured = localPref.isHostAndPortConfigured();

ProxyInfo proxyInfo = null;
Expand Down Expand Up @@ -750,7 +750,7 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
builder.setProxyInfo(proxyInfo);
}

if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useOldSSL) {
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useDirectTls) {
// This use STARTTLS which starts initially plain connection to upgrade it to TLS, it use the same port as
// plain connections which is 5222.
SparkSSLContextCreator.Options options;
Expand All @@ -769,7 +769,7 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
}
}

if (securityMode != ConnectionConfiguration.SecurityMode.disabled && useOldSSL) {
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && useDirectTls) {
if (!hostPortConfigured) {
// SMACK 4.1.9 does not support XEP-0368, and does not apply a port change, if the host is not changed too.
// Here, we force the host to be set (by doing a DNS lookup), and force the port to 5223 (which is the
Expand Down Expand Up @@ -1719,7 +1719,7 @@ private void initAdvancedDefaults() {
// localPref.setProxyUsername("");
localPref.setResource(localPref.getResource());
localPref.setSaslGssapiSmack3Compatible(localPref.isSaslGssapiSmack3Compatible());
localPref.setSSL(localPref.isSSL());
localPref.setDirectTls(localPref.isDirectTls());
localPref.setSecurityMode(localPref.getSecurityMode());
localPref.setSSOEnabled(localPref.isSSOEnabled());
localPref.setSSOMethod("file");
Expand Down
Loading

0 comments on commit 3da5d35

Please sign in to comment.