AMQP-830 Enable Hostname Verification by default

JIRA: https://jira.spring.io/browse/AMQP-830

Author: garyrussell

build.gradle

@@ -82,7 +82,7 @@ subprojects { subproject ->
 		log4jVersion = '2.11.0'
 		logbackVersion = '1.2.3'
 		mockitoVersion = '2.18.0'
-		rabbitmqVersion = project.hasProperty('rabbitmqVersion') ? project.rabbitmqVersion : '5.3.0'
+		rabbitmqVersion = project.hasProperty('rabbitmqVersion') ? project.rabbitmqVersion : '5.4.0.RC2'
 		rabbitmqHttpClientVersion = '2.1.0.RELEASE'
 
 		springVersion = project.hasProperty('springVersion') ? project.springVersion : '5.1.0.RC2'

spring-rabbit/src/main/java/org/springframework/amqp/rabbit/connection/RabbitConnectionFactoryBean.java

@@ -103,30 +103,32 @@ public class RabbitConnectionFactoryBean extends AbstractFactoryBean<ConnectionF
 
 	private Resource sslPropertiesLocation;
 
-	private volatile String keyStore;
+	private String keyStore;
 
-	private volatile String trustStore;
+	private String trustStore;
 
-	private volatile Resource keyStoreResource;
+	private Resource keyStoreResource;
 
-	private volatile Resource trustStoreResource;
+	private Resource trustStoreResource;
 
-	private volatile String keyStorePassphrase;
+	private String keyStorePassphrase;
 
-	private volatile String trustStorePassphrase;
+	private String trustStorePassphrase;
 
-	private volatile String keyStoreType;
+	private String keyStoreType;
 
-	private volatile String trustStoreType;
+	private String trustStoreType;
 
-	private volatile String sslAlgorithm = TLS_V1_1;
+	private String sslAlgorithm = TLS_V1_1;
 
-	private volatile boolean sslAlgorithmSet;
+	private boolean sslAlgorithmSet;
 
-	private volatile SecureRandom secureRandom;
+	private SecureRandom secureRandom;
 
 	private boolean skipServerCertificateValidation;
 
+	private boolean enableHostnameVerification = true;
+
 	public RabbitConnectionFactoryBean() {
 		this.connectionFactory.setAutomaticRecoveryEnabled(false);
 	}
@@ -604,6 +606,22 @@ public void setChannelRpcTimeout(int channelRpcTimeout) {
 		this.connectionFactory.setChannelRpcTimeout(channelRpcTimeout);
 	}
 
+	/**
+	 * Enable server hostname verification for TLS connections.
+	 * <p>
+	 * This enables hostname verification regardless of the IO mode used (blocking or
+	 * non-blocking IO).
+	 * <p>
+	 * This can be called typically after setting the {@link SSLContext} with one of the
+	 * <code>useSslProtocol</code> methods. Requires amqp-client 5.4.0 or later.
+	 * @param enable false to disable.
+	 * @since 2.0.6
+	 * @see ConnectionFactory#enableHostnameVerification()
+	 */
+	public void setEnableHostnameVerification(boolean enable) {
+		this.enableHostnameVerification = enable;
+	}
+
 	@Override
 	public Class<?> getObjectType() {
 		return ConnectionFactory.class;
@@ -686,6 +704,9 @@ protected void setUpSSL() throws Exception {
 			SSLContext context = createSSLContext();
 			context.init(keyManagers, trustManagers, this.secureRandom);
 			this.connectionFactory.useSslProtocol(context);
+			if (this.enableHostnameVerification) {
+				this.connectionFactory.enableHostnameVerification();
+			}
 		}
 	}
 
@@ -709,6 +730,9 @@ private void useDefaultTrustStoreMechanism()
 		trustManagerFactory.init((KeyStore) null);
 		sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
 		this.connectionFactory.useSslProtocol(sslContext);
+		if (this.enableHostnameVerification) {
+			this.connectionFactory.enableHostnameVerification();
+		}
 	}
 
 }

src/reference/asciidoc/whats-new.adoc

@@ -65,3 +65,7 @@ See <<management-rest-api>> for more information.
 
 The listener container factory can now be configured with a `RetryTemplate` and, optionally, a `RecoveryCallback` used when sending replies.
 See <<async-annotation-driven-enable>> for more information.
+
+===== Connection Factory Bean Changes
+
+The `RabbitConnectionFactoryBean` now calls `enableHostnameVerification()` by default; to revert to the previous behavior, set the `enabaleHostnameVerification` property to `false`.