Command line interface does not validate SSL certificate

[tkzv]

To reproduce, enable STOMP+SSL in Apache ActiveMQ with default dummy certificates and connect to it with a CLI client:

stomp.exe -H localhost -P 61612 --ssl -U admin -W admin -L MyQueue

There are no errors, everything works fine, despite the certificate having expired in 2007. This is wrong.

To enable SSL in ActiveMQ, add to activemq.xml: inside <broker ...> </broker> tags:

<sslContext>
    <sslContext keyStore="file:${activemq.base}/conf/broker.ks"
        keyStorePassword="password"/>
</sslContext>

inside <transportConnectors> ... </transportConnectors> tags:

<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61612?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>

in jetty.xml uncomment the following:

<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
      <constructor-arg ref="Server" />
      <constructor-arg>
           <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
                 <property name="keyStorePath" value="${activemq.conf}/broker.ks" />
                 <property name="keyStorePassword" value="password" />
           </bean>
      </constructor-arg>
      <property name="port" value="8162" />
</bean>

[jasonrbriggs]

You would think that cert checks would be part of the SSLContext in the ssl module, and while I did see mention of cert expiry, I couldn't find a flag that actually made it work for me (entirely likely I've missed something). So I've added some functionality to check the cert expiry - if PyOpenSSL is installed. Implemented here: https://github.com/jasonrbriggs/stomp.py/commit/e97c19097e1939a7f83ce138b47308ae34b4a977 Tested here: https://github.com/jasonrbriggs/stomp.py/commit/ff3d391efa9e87e8672374564d07c2514a775f84 Will be going into the next release...