//
// ========================================================================
// Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.client;
import java.io.IOException;
import java.nio.channels.ClosedChannelException;
import java.security.cert.CertificateException;
import java.util.concurrent.ExecutionException;
import javax.net.ssl.SSLHandshakeException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.server.NetworkConnector;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.handler.DefaultHandler;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
/**
* This test class runs tests to make sure that hostname verification (http://www.ietf.org/rfc/rfc2818.txt
* section 3.1) is configurable in SslContextFactory and works as expected.
*/
public class HostnameVerificationTest
{
private SslContextFactory clientSslContextFactory = new SslContextFactory();
private Server server = new Server();
private HttpClient client;
private NetworkConnector connector;
@Before
public void setUp() throws Exception
{
SslContextFactory serverSslContextFactory = new SslContextFactory();
serverSslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
serverSslContextFactory.setKeyStorePassword("storepwd");
connector = new ServerConnector(server, serverSslContextFactory);
server.addConnector(connector);
server.setHandler(new DefaultHandler()
{
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
baseRequest.setHandled(true);
response.getWriter().write("foobar");
}
});
server.start();
// keystore contains a hostname which doesn't match localhost
clientSslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
clientSslContextFactory.setKeyStorePassword("storepwd");
QueuedThreadPool executor = new QueuedThreadPool();
executor.setName(executor.getName() + "-client");
client = new HttpClient(clientSslContextFactory);
client.setExecutor(executor);
client.start();
}
@After
public void tearDown() throws Exception
{
client.stop();
server.stop();
server.join();
}
/**
* This test is supposed to verify that hostname verification works as described in:
* http://www.ietf.org/rfc/rfc2818.txt section 3.1. It uses a certificate with a common name different to localhost
* and sends a request to localhost. This should fail with a SSLHandshakeException.
*
* @throws Exception
*/
@Test
public void simpleGetWithHostnameVerificationEnabledTest() throws Exception
{
clientSslContextFactory.setEndpointIdentificationAlgorithm("HTTPS");
String uri = "https://localhost:" + connector.getLocalPort() + "/";
try
{
client.GET(uri);
Assert.fail("sending request to client should have failed with an Exception!");
}
catch (ExecutionException x)
{
// The test may fail in 2 ways, since the CertificateException thrown because of the hostname
// verification failure is not rethrown immediately by the JDK SSL implementation, but only
// rethrown on the next read or write.
// Therefore this test may catch a SSLHandshakeException, or a ClosedChannelException.
// If it is the former, we verify that its cause is a CertificateException.
// ExecutionException wraps an SSLHandshakeException
Throwable cause = x.getCause();
if (cause==null)
{
x.printStackTrace();
Assert.fail("No cause?");
}
if (cause instanceof SSLHandshakeException)
Assert.assertThat(cause.getCause().getCause(), Matchers.instanceOf(CertificateException.class));
else
Assert.assertThat(cause.getCause(), Matchers.instanceOf(ClosedChannelException.class));
}
}
/**
* This test has hostname verification disabled and connecting, ssl handshake and sending the request should just
* work fine.
*
* @throws Exception
*/
@Test
public void simpleGetWithHostnameVerificationDisabledTest() throws Exception
{
clientSslContextFactory.setEndpointIdentificationAlgorithm(null);
String uri = "https://localhost:" + connector.getLocalPort() + "/";
try
{
client.GET(uri);
}
catch (ExecutionException e)
{
Assert.fail("SSLHandshake should work just fine as hostname verification is disabled! " + e.getMessage());
}
}
/**
* This test has hostname verification disabled by setting trustAll to true and connecting,
* ssl handshake and sending the request should just work fine.
*
* @throws Exception
*/
@Test
public void trustAllDisablesHostnameVerificationTest() throws Exception
{
clientSslContextFactory.setTrustAll(true);
String uri = "https://localhost:" + connector.getLocalPort() + "/";
try
{
client.GET(uri);
}
catch (ExecutionException e)
{
Assert.fail("SSLHandshake should work just fine as hostname verification is disabled! " + e.getMessage());
}
}
}