-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for Secure IBM i connections to use a custom SSLSocketFactory #128
Comments
Hello, I'm the original reporter of bug 457 on SourceForge. At the time, we 'solved' the secure connection requirement by using JTOpen's sources, add our modifications and publish the modified JTOpen publicly on GitHub. Since the original report, we also added changes to allow for a secure JDBC connections. I tried applying our modifications to the current JTOpen code base. That worked without much problems. For us, it would be beneficial to have our modifications be part of the original JTOpen code-base. And we think the modifications would be a useful addition for JTOpen as well 😊 Kind regards, |
Hi, @MarcelRomijn ! We would welcome this pull request (and in my opinion it is a feature that is a bit overdue). Here's a sample article I've used as reference for getting started with pull requests: https://www.freecodecamp.org/news/how-to-make-your-first-pull-request-on-github-3/ |
Hi @ThePrez, thanks for the instructions for creating the PR! I'm on PTO after today, but I will pick this up when I get back to work, in the week of Aug 26th. Thanks! |
Hi @ThePrez, I followed the instructions and created a Pull Request: #200 I created another GitHub repository that contains tester code to test/demonstrate the security enhancement: https://github.com/MarcelRomijn/JTOpen_security_test/tree/feature/security Unfortunately, the Pull Request has a failed check about the 'DCO'. Thanks, |
Hi @MarcelRomijn, Thank you for considering this. Example (not tested): import javax.net.ssl.*;
import java.io.IOException;
import java.net.Socket;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
public class BypassSSLSocketFactory extends SSLSocketFactory {
private SSLSocketFactory sslSocketFactory;
public BypassSSLSocketFactory() {
try {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
sslSocketFactory = sc.getSocketFactory();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
}
@Override
public String[] getDefaultCipherSuites() {
return sslSocketFactory.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return sslSocketFactory.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return sslSocketFactory.createSocket(s, host, port, autoClose);
}
@Override
public Socket createSocket(String host, int port) throws IOException {
return sslSocketFactory.createSocket(host, port);
}
@Override
public Socket createSocket(String host, int port, java.net.InetAddress localHost, int localPort) throws IOException {
return sslSocketFactory.createSocket(host, port, localHost, localPort);
}
@Override
public Socket createSocket(java.net.InetAddress host, int port) throws IOException {
return sslSocketFactory.createSocket(host, port);
}
@Override
public Socket createSocket(java.net.InetAddress address, int port, java.net.InetAddress localAddress, int localPort) throws IOException {
return sslSocketFactory.createSocket(address, port, localAddress, localPort);
}
} |
Hi @trknz, I have two thoughts about such an implementation... Security: In our company, we are steering away from any implementation that allows for a 'trust-all' type of secure connection. It's easy to install a server- and/or client application, click the 'trust-all' checkbox during installation and get something working. JTOpen: The proposed Thanks, |
I understand your point, but I believe it's up to the user to set their own security policies. Personally, I dislike when others decide what's best for me, as there's no one-size-fits-all solution. I have two examples:
Overall, I would prefer that the package include some common implementations of |
Hi, @trknz, Thanks for you feedback! Everyone is entitled to view of the way security should be implemented differently of course. But I stand by my second point that it is up to the JTOpen team to decide whether a bypass SSLSocketFactory should be added to the JTOpen code base. Thanks, |
Hi @MarcelRomijn, From my experience, the failure of DCO checking is not a blocker for merging the PR. However, if you prefer, you can follow the instructions below to resolve this issue.
|
To pass DCO checking, you have to sign your commits. |
Hi all, I saw that there were new commits to the JTOpen repository, so my PR had conflicts that needed to be resolved first. Thanks, |
@jeber-ibm, can we speed up the review and merge of the commit? It’s been waiting for approval for over two weeks. Thanks. |
Hi @MarcelRomijn, I think it would make sense to apply the change to the AS400ConnectionPool class too, since it's often used to manage connections. What do you think? |
Hi @trknz, At the moment, my original PR has not been merged. There are doubts whether this is the right way to go. Once/if the PR is merged, we can think about other enhancements, including the BypassSSLSocketFactory and adding similar functionality to AS400ConnectionPool. Thanks, |
Adapted from old SF bug 457.
Currently in
SocketContainerJSSE
, the defaultSSLSocketFactory
is retrieved before using it to create the secure socket to whichever host server it is attempting to connect to. There is no way to provide a customSSLSocketFactory
for JTOpen to use. Unless there was a good reason to only use the default that I'm just not aware of, a way to provide a customSSLSocketFactory
would be nice, as it would allow users of JTOpen to manage multipleSSLContexts
and provide it with the factory it should use to create the socket, without needing to override the JVM default context with their own version. It doesn't appear that JTOpen cares about the underlying factory itself, just so long as it produces a valid socket to use.The original bug reporter cited needing this because their company uses an Internal CA that the default Java
SSLContext
would reject because its root certificate wouldn't be in the global truststore. My use case is that my application might have two different truststores it will need to use, based on the action it is performing. Currently, I would need to set the truststore to be used for Secure IBM i connections as the defaultSSLContext
, then have my other truststore as a separateSSLContext
to pass around to the needed areas. This is doable but less than ideal, as I would like to avoid changing the default JVM context if I can help it.The text was updated successfully, but these errors were encountered: