diff --git a/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java b/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java index 92ac9a90ca..4ec9ee4004 100644 --- a/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java +++ b/commons/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java @@ -15,6 +15,7 @@ */ package org.openehealth.ipf.commons.audit.protocol; +import javax.net.ssl.SSLParameters; import org.openehealth.ipf.commons.audit.AuditContext; import org.openehealth.ipf.commons.audit.AuditException; import org.openehealth.ipf.commons.audit.utils.AuditUtils; @@ -59,10 +60,12 @@ public class TLSSyslogSenderImpl extends RFC5424Protocol implements AuditTransmi private static final Logger LOG = LoggerFactory.getLogger(TLSSyslogSenderImpl.class); private static final int MIN_SO_TIMEOUT = 1; private static final Boolean DEFAULT_SOCKET_KEEPALIVE = Boolean.TRUE; + private static final String ENDPOINT_IDENTIFICATION_ALGORITHM_HTTPS = "HTTPS"; private final AtomicReference socket = new AtomicReference<>(); private final SocketFactory socketFactory; private final SocketTestPolicy socketTestPolicy; + private final Boolean performDomainValidation; /** * Constructor which uses default values for all parameters. @@ -75,6 +78,11 @@ public TLSSyslogSenderImpl(SocketTestPolicy socketTestPolicy) { this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketTestPolicy); } + public TLSSyslogSenderImpl(Boolean performDomainValidation) { + this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), (SSLSocketFactory)SSLSocketFactory.getDefault(), + SocketTestPolicy.TEST_BEFORE_WRITE, performDomainValidation); + } + /** * @param socketFactory SSL socket factory to be used for creating the TCP * socket. @@ -95,6 +103,18 @@ public TLSSyslogSenderImpl(SSLSocketFactory socketFactory, SocketTestPolicy sock this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketFactory, socketTestPolicy); } + /** + * + * @param socketFactory SSL socket factory to be used for creating the TCP + * socket. + * @param socketTestPolicy Determining if and when to test the socket for a + * connection close/reset + * @param performDomainValidation Determining if domain validation should be performed + */ + public TLSSyslogSenderImpl(SSLSocketFactory socketFactory, SocketTestPolicy socketTestPolicy, Boolean performDomainValidation) { + this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketFactory, socketTestPolicy, performDomainValidation); + } + /** * @param sendingHost value of the SYSLOG header "HOSTNAME" * @param sendingProcess value of the SYSLOG header "APP-NAME" @@ -113,6 +133,7 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SocketTest super(sendingHost, sendingProcess); this.socketFactory = SSLSocketFactory.getDefault(); this.socketTestPolicy = socketTestPolicy; + this.performDomainValidation = Boolean.FALSE; } /** @@ -125,6 +146,7 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketF super(sendingHost, sendingProcess); this.socketFactory = Objects.requireNonNull(socketFactory); this.socketTestPolicy = SocketTestPolicy.TEST_BEFORE_WRITE; + this.performDomainValidation = Boolean.FALSE; } /** @@ -140,6 +162,24 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketF super(sendingHost, sendingProcess); this.socketFactory = Objects.requireNonNull(socketFactory); this.socketTestPolicy = socketTestPolicy; + this.performDomainValidation = Boolean.FALSE; + } + + /** + * @param sendingHost value of the SYSLOG header "HOSTNAME" + * @param sendingProcess value of the SYSLOG header "APP-NAME" + * @param socketFactory SSL socket factory to be used for creating the TCP + * socket. + * @param socketTestPolicy Determining if and when to test the socket for a + * connection close/reset + * @param performDomainValidation Determining if domain validation should be performed + */ + public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketFactory socketFactory, + SocketTestPolicy socketTestPolicy, Boolean performDomainValidation) { + super(sendingHost, sendingProcess); + this.socketFactory = Objects.requireNonNull(socketFactory); + this.socketTestPolicy = socketTestPolicy; + this.performDomainValidation = performDomainValidation; } @Override @@ -265,9 +305,15 @@ private Socket getTLSSocket(AuditContext auditContext) { * @param socket Socket to configure * @throws SocketException */ - protected void setSocketOptions(final Socket socket) throws SocketException { + protected void setSocketOptions(final SSLSocket socket) throws SocketException { Objects.requireNonNull(socket); socket.setKeepAlive(DEFAULT_SOCKET_KEEPALIVE); + + if(performDomainValidation) { + SSLParameters sslParams = new SSLParameters(); + sslParams.setEndpointIdentificationAlgorithm(ENDPOINT_IDENTIFICATION_ALGORITHM_HTTPS); + socket.setSSLParameters(sslParams); + } } /** diff --git a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java index 569787d623..b58ddf8cfc 100644 --- a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java +++ b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java @@ -71,4 +71,20 @@ public void testTwoWayTLSInterrupted(TestContext testContext) throws Exception { async.awaitSuccess(WAIT_TIME); } + @Test + public void testTwoWayTLSWithDomainVerification(TestContext testContext) throws Exception { + initTLSSystemProperties(null); + auditContext.setAuditTransmissionProtocol(new TLSSyslogSenderImpl(true)); + int count = 10; + Async async = testContext.async(count); + deploy(testContext, createTCPServerTwoWayTLS(port, + TRUST_STORE, + TRUST_STORE_PASS, + SERVER_KEY_STORE, + SERVER_KEY_STORE_PASS, + async)); + for (int i = 0; i < count; i++) sendAudit(); + async.awaitSuccess(WAIT_TIME); + } + } diff --git a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java index 66c29ca4b2..7448ef2a9e 100644 --- a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java +++ b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java @@ -252,7 +252,7 @@ public SocketOptionOverrideTLSSyslogSenderImpl(String sendingHost, String sendin } @Override - protected void setSocketOptions(final Socket socket) throws SocketException { + protected void setSocketOptions(final SSLSocket socket) throws SocketException { super.setSocketOptions(socket); socket.setReceiveBufferSize(5); } diff --git a/commons/audit/src/test/resources/security/ca.keystore b/commons/audit/src/test/resources/security/ca.keystore index cfb3ede023..e93ae89c46 100644 Binary files a/commons/audit/src/test/resources/security/ca.keystore and b/commons/audit/src/test/resources/security/ca.keystore differ diff --git a/commons/audit/src/test/resources/security/server.keystore b/commons/audit/src/test/resources/security/server.keystore index e9acab602c..1a8c9c350a 100644 Binary files a/commons/audit/src/test/resources/security/server.keystore and b/commons/audit/src/test/resources/security/server.keystore differ