AMQP-830 Enable Hostname Verification by default

JIRA: https://jira.spring.io/browse/AMQP-830

Author: garyrussell

spring-rabbit/src/main/java/org/springframework/amqp/rabbit/connection/RabbitConnectionFactoryBean.java

@@ -16,18 +16,19 @@
 
 package org.springframework.amqp.rabbit.connection;
 
+import java.lang.reflect.Method;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
-import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Map;
 import java.util.Properties;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.ThreadFactory;
+import java.util.concurrent.atomic.AtomicReference;
 
 import javax.net.SocketFactory;
 import javax.net.ssl.KeyManager;
@@ -42,6 +43,10 @@
 import org.springframework.beans.factory.config.AbstractFactoryBean;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
+import org.springframework.util.Assert;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.util.ReflectionUtils.MethodCallback;
+import org.springframework.util.ReflectionUtils.MethodFilter;
 import org.springframework.util.StringUtils;
 
 import com.rabbitmq.client.ConnectionFactory;
@@ -75,6 +80,30 @@
  */
 public class RabbitConnectionFactoryBean extends AbstractFactoryBean<ConnectionFactory> {
 
+	private static final Method enableHostnameVerificationNoArgMethod;
+
+	static {
+		final AtomicReference<Method> method1 = new AtomicReference<Method>();
+		ReflectionUtils.doWithMethods(ConnectionFactory.class, new MethodCallback() {
+
+			@Override
+			public void doWith(Method m) throws IllegalArgumentException, IllegalAccessException {
+				if (m.getParameterTypes().length == 0) {
+					method1.set(m);
+				}
+			}
+
+		}, new MethodFilter() {
+
+			@Override
+			public boolean matches(Method m) {
+				return m.getName().equals("enableHostnameVerification");
+			}
+
+		});
+		enableHostnameVerificationNoArgMethod = method1.get();
+	}
+
 	private final Log logger = LogFactory.getLog(getClass());
 
 	private static final String KEY_STORE = "keyStore";
@@ -103,30 +132,32 @@ public class RabbitConnectionFactoryBean extends AbstractFactoryBean<ConnectionF
 
 	private Resource sslPropertiesLocation;
 
-	private volatile String keyStore;
+	private String keyStore;
 
-	private volatile String trustStore;
+	private String trustStore;
 
-	private volatile Resource keyStoreResource;
+	private Resource keyStoreResource;
 
-	private volatile Resource trustStoreResource;
+	private Resource trustStoreResource;
 
-	private volatile String keyStorePassphrase;
+	private String keyStorePassphrase;
 
-	private volatile String trustStorePassphrase;
+	private String trustStorePassphrase;
 
-	private volatile String keyStoreType;
+	private String keyStoreType;
 
-	private volatile String trustStoreType;
+	private String trustStoreType;
 
-	private volatile String sslAlgorithm = TLS_V1_1;
+	private String sslAlgorithm = TLS_V1_1;
 
-	private volatile boolean sslAlgorithmSet;
+	private boolean sslAlgorithmSet;
 
-	private volatile SecureRandom secureRandom;
+	private SecureRandom secureRandom;
 
 	private boolean skipServerCertificateValidation;
 
+	private boolean enableHostnameVerification;
+
 	public RabbitConnectionFactoryBean() {
 		this.connectionFactory.setAutomaticRecoveryEnabled(false);
 	}
@@ -604,6 +635,21 @@ public void setChannelRpcTimeout(int channelRpcTimeout) {
 		this.connectionFactory.setChannelRpcTimeout(channelRpcTimeout);
 	}
 
+	/**
+	 * Enable server hostname verification for TLS connections.
+	 * <p>
+	 * This enables hostname verification regardless of the IO mode used (blocking or
+	 * non-blocking IO).
+	 * Requires amqp-client 5.4.0 or later.
+	 * @param enable true to enable.
+	 * @since 1.7.10
+	 */
+	public void setEnableHostnameVerification(boolean enable) {
+		Assert.notNull(enableHostnameVerificationNoArgMethod,
+				"Host name verification requires amqp-client 5.4.0 or later");
+		this.enableHostnameVerification = enable;
+	}
+
 	@Override
 	public Class<?> getObjectType() {
 		return ConnectionFactory.class;
@@ -686,6 +732,7 @@ protected void setUpSSL() throws Exception {
 			SSLContext context = createSSLContext();
 			context.init(keyManagers, trustManagers, this.secureRandom);
 			this.connectionFactory.useSslProtocol(context);
+			checkHostVerification();
 		}
 	}
 
@@ -701,14 +748,20 @@ protected SSLContext createSSLContext() throws NoSuchAlgorithmException {
 	}
 
 
-	private void useDefaultTrustStoreMechanism()
-			throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException {
+	private void useDefaultTrustStoreMechanism() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance(this.sslAlgorithm);
 		TrustManagerFactory trustManagerFactory =
 				TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 		trustManagerFactory.init((KeyStore) null);
 		sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
 		this.connectionFactory.useSslProtocol(sslContext);
+		checkHostVerification();
+	}
+
+	private void checkHostVerification() throws Exception {
+		if (this.enableHostnameVerification) {
+			enableHostnameVerificationNoArgMethod.invoke(this.connectionFactory);
+		}
 	}
 
 }

src/reference/asciidoc/whats-new.adoc

@@ -179,6 +179,12 @@ Also the `ConnectionBlockedEvent` and `ConnectionUnblockedEvent` events are emit
 
 See <<connections>> for more information.
 
+===== Connection Factory Bean Changes
+
+The `RabbitConnectionFactoryBean` now provides an `enabaleHostnameVerification` property; set it to `true` to enable host name verification.
+Also `setHostnameVerifier` is provided for when using Java 6; see the connection factory javadocs for more information.
+Host name verification requires overriding the `amqp-client` to 5.4.0 or later.
+
 ==== Earlier Releases
 
 See <<previous-whats-new>> for changes in previous versions.