Ruby-friendly fine tuned TLS connections support

[michaelklishin]

It's currently far from easy to set up all the certificates/keys/etc. This needs to be both easier and better documented (e.g. JVM keytool is used to import CA certificates, as opposed to OpenSSL default CA certificate path which Bunny relies on).

[michaelklishin]

I will move this to 2.1 because it turns out to be a lot hairier than I thought. Also, Langohr and March Hare share this
problem so perhaps simplifying common TLS setups with a small Java library both can use is a good way to go about it.

[geauxvirtual]

Just wanted to leave a comment on this issue or feature.

When we were looking at implementing HB, and now March Hare once 2.0 is released, I looked at integrating SSL support into our application. You are correct, it's a not simple task when dealing with Java, as it took importing three Java libraries to just load the truststore and return it for the connection to work properly for trusting both the server and client. It would be nice if this could be made simpler by adding the required behavior to the code.

[whithajess]

Any updates on this? I would like to use TLS but have no idea what to do as http://rubymarchhare.info/articles/tls.html just gives a 404. I have it working fine using Bunny gem

[michaelklishin]

Currently you have to build a TLS context and pass it to MH, see rabbitmq.com/ssl.html.

On 17/8/2015, at 7:17, Jesse notifications@github.com wrote:

Any updates on this? I would like to use TLS but have no idea what to do as http://rubymarchhare.info/articles/tls.html just gives a 404. I have it working fine using Bunny gem

—
Reply to this email directly or view it on GitHub.

[jsvd]

Isn't this done now in

march_hare/lib/march_hare/session.rb

Lines 72 to 104 in ffa01c2

	tls = (options[:ssl] || options[:tls])
	case tls
	when true then
	cf.use_ssl_protocol
	when String then
	# TODO: logging
	$stdout.puts "Using TLS/SSL version #{tls}"
	if options[:trust_manager]
	cf.use_ssl_protocol(tls, options[:trust_manager])
	elsif (cert_path = tls_certificate_path_from(options)) && (password = tls_certificate_password_from(options))
	ctx = SSLContext.get_instance(tls)
	pwd = password.to_java.to_char_array
	begin
	is = File.new(cert_path).to_inputstream
	ks = KeyStore.get_instance('PKCS12')
	ks.load(is, pwd)
	kmf = KeyManagerFactory.get_instance("SunX509")
	kmf.init(ks, pwd)
	ctx.init(kmf.get_key_managers, [NullTrustManager.new].to_java('javax.net.ssl.TrustManager'), nil)
	cf.use_ssl_protocol(ctx)
	rescue Java::JavaLang::Throwable => e
	message = e.message
	message << "\n"
	message << e.backtrace.join("\n")
	raise SSLContextException.new(message)
	ensure
	is.close if is
	end
	else

?

[michaelklishin]

@jsvd I'm afraid this is far from "Ruby developer-friendly" (which is a high bar)