Add option to enable hostname verification

Fixes #55

(cherry picked from commit d31693b)

Conflicts:
	src/main/java/com/rabbitmq/jms/admin/RMQConnectionFactory.java

Author: acogoluegnes

src/main/java/com/rabbitmq/jms/admin/RMQConnectionFactory.java

@@ -109,6 +109,14 @@ public class RMQConnectionFactory implements ConnectionFactory, Referenceable, S
     private SSLContext sslContext;
     private boolean useDefaultSslContext = false;
 
+    /**
+     * Whether to use hostname verification when TLS is on.
+     *
+     * @since 1.10.0
+     */
+    private boolean hostnameVerification = false;
+
+
     /** The maximum number of messages to read on a queue browser, which must be non-negative;
      *  0 means unlimited and is the default; negative values are interpreted as 0. */
     private int queueBrowserReadMax = Math.max(0, Integer.getInteger("rabbit.jms.queueBrowserReadMax", 0));
@@ -154,8 +162,8 @@ public Connection createConnection(String username, String password) throws JMSE
         com.rabbitmq.client.ConnectionFactory factory = new com.rabbitmq.client.ConnectionFactory();
         setRabbitUri(logger, this, factory, this.getUri());
         maybeEnableTLS(factory);
-
         factory.setMetricsCollector(this.metricsCollector);
+        maybeEnableHostnameVerification(factory);
         com.rabbitmq.client.Connection rabbitConnection = instantiateNodeConnection(factory);
 
         RMQConnection conn = new RMQConnection(new ConnectionParams()
@@ -181,6 +189,7 @@ public Connection createConnection(String username, String password, List<Addres
         this.password = password;
         com.rabbitmq.client.ConnectionFactory cf = new com.rabbitmq.client.ConnectionFactory();
         maybeEnableTLS(cf);
+        cf.setMetricsCollector(this.metricsCollector);
         com.rabbitmq.client.Connection rabbitConnection = instantiateNodeConnection(cf, endpoints);
 
         RMQConnection conn = new RMQConnection(new ConnectionParams()
@@ -340,6 +349,16 @@ private void maybeEnableTLS(com.rabbitmq.client.ConnectionFactory factory) {
             }
     }
 
+    private void maybeEnableHostnameVerification(com.rabbitmq.client.ConnectionFactory factory) {
+        if (hostnameVerification) {
+            if (this.ssl) {
+                factory.enableHostnameVerification();
+            } else {
+                logger.warn("Hostname verification enabled, but not TLS, please enable TLS too.");
+            }
+        }
+    }
+
     public boolean isSsl() {
         return this.ssl;
     }
@@ -742,5 +761,17 @@ public void setAmqpPropertiesCustomiser(AmqpPropertiesCustomiser amqpPropertiesC
     public void setMetricsCollector(MetricsCollector metricsCollector) {
         this.metricsCollector = metricsCollector;
     }
+
+    /**
+     * Enable or disable hostname verification when TLS is used.
+     *
+     * @param hostnameVerification
+     * @see com.rabbitmq.client.ConnectionFactory#enableHostnameVerification()
+     * @since 1.10.0
+     */
+    public void setHostnameVerification(boolean hostnameVerification) {
+        this.hostnameVerification = hostnameVerification;
+    }
+
 }
 

src/test/java/com/rabbitmq/integration/tests/SSLHostnameVerificationIT.java

@@ -0,0 +1,83 @@
+/* Copyright (c) 2018 Pivotal Software, Inc. All rights reserved. */
+package com.rabbitmq.integration.tests;
+
+import com.rabbitmq.jms.admin.RMQConnectionFactory;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import javax.jms.Connection;
+import javax.jms.JMSException;
+import javax.jms.JMSSecurityException;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+
+import static org.junit.Assert.assertNotNull;
+
+/**
+ * Integration test for hostname verification with TLS.
+ */
+public class SSLHostnameVerificationIT {
+
+    static SSLContext sslContext;
+    RMQConnectionFactory cf;
+
+    @BeforeClass
+    public static void initCrypto() throws Exception {
+        String keystorePath = System.getProperty("test-keystore.ca");
+        assertNotNull(keystorePath);
+        String keystorePasswd = System.getProperty("test-keystore.password");
+        assertNotNull(keystorePasswd);
+        char[] keystorePassword = keystorePasswd.toCharArray();
+
+        KeyStore tks = KeyStore.getInstance("JKS");
+        tks.load(new FileInputStream(keystorePath), keystorePassword);
+
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+        tmf.init(tks);
+
+        String p12Path = System.getProperty("test-client-cert.path");
+        assertNotNull(p12Path);
+        String p12Passwd = System.getProperty("test-client-cert.password");
+        assertNotNull(p12Passwd);
+
+        KeyStore ks = KeyStore.getInstance("PKCS12");
+        char[] p12Password = p12Passwd.toCharArray();
+        ks.load(new FileInputStream(p12Path), p12Password);
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+        kmf.init(ks, p12Password);
+
+        sslContext = SSLContext.getInstance("TLSv1.2");
+        sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+    }
+
+    @Before
+    public void init() {
+        cf = new RMQConnectionFactory();
+        cf.useSslProtocol(sslContext);
+        cf.setHostnameVerification(true);
+    }
+
+    @Test
+    public void hostnameVerificationEnabledShouldPassForLocalhost() throws JMSException {
+        cf.setHost("localhost");
+        Connection connection = null;
+        try {
+            connection = cf.createConnection();
+        } finally {
+            if (connection != null) {
+                connection.close();
+            }
+        }
+    }
+
+    @Test(expected = JMSSecurityException.class)
+    public void hostnameVerificationEnabledShouldFailForLoopbackInterface() throws JMSException {
+        cf.setHost("127.0.0.1");
+        cf.createConnection();
+    }
+}