Patch contributed from Issue #28 (#166)

* Issue: #28
Bug: 469947

Implementing Patches contributed by Cristiano to fix Java SSL session resumption

Signed-off-by: Cristiano De Alti <cristiano.dealti@eurotech.com>

* Fixing Copyright header in test and changing to use Automated test properties.

Signed-off-by: James Sutton <james.sutton@uk.ibm.com>

Author: jpwsutton

org.eclipse.paho.client.mqttv3.test/src/test/java/org/eclipse/paho/client/mqttv3/test/SSLSessionResumptionTest.java

@@ -0,0 +1,193 @@
+/**
+ * Copyright (c) 2011, 2014 Eurotech and/or its affiliates
+ *
+ *  All rights reserved. This program and the accompanying materials
+ *  are made available under the terms of the Eclipse Public License v1.0
+ *  which accompanies this distribution, and is available at
+ *  http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *   Cristiano De Alti - Eurotech (Initial contribution)
+ *   James Sutton - IBM (Fixing Copyright header and adding getSocketFactory)
+ */
+
+package org.eclipse.paho.client.mqttv3.test;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.util.Arrays;
+import java.util.Enumeration;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSessionContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.eclipse.paho.client.mqttv3.MqttClient;
+import org.eclipse.paho.client.mqttv3.MqttConnectOptions;
+import org.eclipse.paho.client.mqttv3.test.logging.LoggingUtilities;
+import org.eclipse.paho.client.mqttv3.test.properties.TestProperties;
+import org.eclipse.paho.client.mqttv3.test.utilities.Utility;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+
+/**
+ * This test aims to run some basic SSL functionality tests of the MQTT client
+ */
+
+public class SSLSessionResumptionTest {
+
+  static final Class<?> cclass = SSLSessionResumptionTest.class;
+  private static final String className = cclass.getName();
+  private static final Logger log = Logger.getLogger(className);
+  
+  
+  private static String serverURI;
+  private static String serverHost;
+  private static int serverPort;
+  private static final String certificateName = "iot.eclipse.org.crt";
+
+  
+  /**
+   * @throws Exception 
+   */
+  @BeforeClass
+  public static void setUpBeforeClass() throws Exception {
+
+    try {
+      String methodName = Utility.getMethodName();
+      LoggingUtilities.banner(log, cclass, methodName);
+      serverURI = "ssl://" + TestProperties.getServerURI().getHost();
+      serverHost = TestProperties.getServerURI().getHost();
+      serverPort = TestProperties.getServerSSLPort();
+
+    }
+    catch (Exception exception) {
+      log.log(Level.SEVERE, "caught exception:", exception);
+      throw exception;
+    }
+  }
+
+  /**
+   * This test involves inspecting the SSL debug log
+   * and the Wireshark capture.
+   *
+   * Paho defeats the default SSL session caching which
+   * allows to have abbreviated SSL handshakes on
+   * following connections.
+   * 
+   * @throws Exception
+   */
+  @Test
+  public void testSSLSessionInvalidated() throws Exception {
+	  //System.setProperty("javax.net.debug", "all");
+
+	  SSLSocketFactory factory = getSocketFactory(certificateName);
+	  
+	  MqttConnectOptions options = new MqttConnectOptions();
+	  options.setServerURIs(new String[] {serverURI});
+	  options.setKeepAliveInterval(60);
+	  options.setSocketFactory(factory);
+	  
+	  MqttClient mqttClient = new MqttClient(serverURI, MqttClient.generateClientId());
+	  
+	  
+	  log.info("Connecting to: " + serverURI);
+	  mqttClient.connect(options);
+	  
+	  Thread.sleep(2000);
+	  
+	  log.info("Disconnetting...");
+	  mqttClient.disconnect();
+	  	  
+	  Thread.sleep(2000);
+	  
+	  log.info("Connecting again... Paho will not be able to perform an abbreviated SSL handshake");
+	  mqttClient.connect(options);
+	  
+	  Thread.sleep(2000);
+	  
+	  log.info("Disconnetting...");
+	  mqttClient.disconnect();
+	  
+  }
+
+  /**
+   * This test involves inspecting the SSL debug log
+   * and the Wireshark capture.
+   *
+   * By default, Java caches SSL sessions which
+   * allows to have abbreviated SSL handshakes on
+   * following connections.
+   * 
+   * @throws Exception
+   */
+  @Test
+  public void testSSLSessionCached() throws Exception {
+	 // System.setProperty("javax.net.debug", "all");
+	  
+	  SSLSocketFactory factory = getSocketFactory(certificateName);
+
+	  
+	  log.info("Do handshake...");
+	  doHandshake(factory, serverHost, serverPort);
+
+	  log.info("Done! Redo handshake... An abbreviated SSL handshake will be performed");
+	  doHandshake(factory, serverHost, serverPort);
+	  
+	  log.info("Done!");
+  }
+  
+  private static void doHandshake(SSLSocketFactory factory, String host, int port) {
+	  SSLSocket socket = null;
+	  try {
+		  socket = (SSLSocket) factory.createSocket(host, port);
+
+		  socket.startHandshake();
+
+		  SSLSessionContext ctx = socket.getSession().getSessionContext();
+		  if (ctx != null) {
+			  Enumeration<byte[]> ids = ctx.getIds();
+			  while (ids.hasMoreElements()) {
+				  byte[] id = ids.nextElement();
+				  log.info("Session ID: " + Arrays.toString(id));
+				  log.info("Cypher suite: " + ctx.getSession(id).getCipherSuite());
+			  }
+		  } else {
+			  log.info("null SSLSessionContext");
+		  }
+	  } catch (Exception e) {
+		  e.printStackTrace();
+	  } finally {
+		  if (socket != null) {
+			  try {
+				socket.close();
+			} catch (IOException e) {
+				e.printStackTrace();
+			}
+		  }
+	  }
+  }
+  
+  private static SSLSocketFactory getSocketFactory(String certificateName) throws Exception {
+  		InputStream certStream = SSLSessionResumptionTest.class.getClassLoader().getResourceAsStream(certificateName);
+  		CertificateFactory certFactory = CertificateFactory.getInstance("X509");
+      Certificate certificate =  certFactory.generateCertificate(certStream);
+      SSLContext sslContext = SSLContext.getInstance("TLS");
+      TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+  		KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+  		keyStore.load(null);
+  		keyStore.setCertificateEntry("alias", certificate);
+  		trustManagerFactory.init(keyStore);
+  		sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
+  		return sslContext.getSocketFactory();
+    }
+}

org.eclipse.paho.client.mqttv3.test/src/test/resources/iot.eclipse.org.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVDCCAwygAwIBAgIEVYPx2jANBgkqhkiG9w0BAQsFADCBhzELMAkGA1UEBhMC
+Q0ExJTAjBgNVBAoTHEVjbGlwc2Uub3JnIEZvdW5kYXRpb24sIEluYy4xFDASBgNV
+BAsTC2lvdC10ZXN0aW5nMQ8wDQYDVQQHEwZOZXBlYW4xEDAOBgNVBAgTB09udGFy
+aW8xGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzAeFw0xNTA2MTkxMDQxMzFaFw0y
+MDA1MjMxMDQxMzRaMIGHMQswCQYDVQQGEwJDQTElMCMGA1UEChMcRWNsaXBzZS5v
+cmcgRm91bmRhdGlvbiwgSW5jLjEUMBIGA1UECxMLaW90LXRlc3RpbmcxDzANBgNV
+BAcTBk5lcGVhbjEQMA4GA1UECBMHT250YXJpbzEYMBYGA1UEAxMPaW90LmVjbGlw
+c2Uub3JnMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEA0xUc7iXRrDG3
+WBCM6kzBv7eDVJUj8fMt7yhVS+os3QwKXfirzvRn1kj3KQkBzR/Nkeqk4go5EkYI
+ZCvG3svmfbyxJaWxl8VBhhiVf8ytd0CkNbbho5VlV2BrDuMpAMiQ1MZZqXV544wf
+BXAChXPgDjsjP/2QDAR52jJjqwoGm+KFAp9ZTFpHqi1Yajt2J7M1EOacnkasDdcD
+GzgxDIA1oo6XOM1sisOc11d+L1JyOwtSHIaQRO9BChU5CAZCTRF9wITdmBnhb+ha
+mEgHPFIeF8uPXnjvsXJgHM/GqOoIlb671DOVNdZPxDhg+Pp47qGQJrcTz+ptTLw4
+bgcSCbHQXK+TDk2GxUS27PbZ9trK2Rfo6MLe4x0kT8k+9zZkPDKdJzCYDVzfcakf
+Qj8cDxplrwIDAQABo2YwZDAMBgNVHRMBAf8EAjAAMCAGA1UdEQQZMBeCD2lvdC5l
+Y2xpcHNlLm9yZ4cExike8TATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU
+sXXbkSdzImOC1cQcnXOPeGdghvowDQYJKoZIhvcNAQELBQADggExAHueO/jU8LNE
+M5GyA0ENlPLoeBgtsa2HGXGH1vrc9HEESaFLlQX/V0hEa6MtFTtZTGz4J4zfJK0s
+Zb7aMxQqlyDE0tGHb6p4XiyjyEcIpAaRuOdMFvsELBugLQIGyJU+FRhrJ6we0G/9
+aZg+PPhiLRsRQtxgS6zWJ3zQt8Vxj7gnjMjUzuJ30LeborKOZih0By1zY127TbgK
+0+7CjI3kzUzgX5gy6/YKJLoEl7In7GgLCXy4TdRAC4jrmiBZA3xhn2YbpEGG383z
+JL7gwrTxilGPdpUkPqsh3QPFybe//IuZnv0asPY4t9GgVqObomUGkafBcz1kDnlh
+eCQzrplSaCcePR3cawnX/x6ZjnRSfKGJzKYWBVtxLT6TW95AyGyv0bpsH5d3TpKO
+ayb6IYpBphw=
+-----END CERTIFICATE-----

org.eclipse.paho.client.mqttv3/src/main/java-templates/org/eclipse/paho/client/mqttv3/internal/ClientComms.java

@@ -319,6 +319,9 @@ public void shutdownConnection(MqttToken token, MqttException reason) {
 		// when actions complete
 		if (callback!= null) {callback.stop(); }
 
+		// Stop the thread that handles inbound work from the network
+		if (receiver != null) {receiver.stop();}
+		
 		// Stop the network module, send and receive now not possible
 		try {
 			if (networkModules != null) {
@@ -331,9 +334,6 @@ public void shutdownConnection(MqttToken token, MqttException reason) {
 			// Ignore as we are shutting down
 		}
 
-		// Stop the thread that handles inbound work from the network
-		if (receiver != null) {receiver.stop();}
-
 		// Stop any new tokens being saved by app and throwing an exception if they do
 		tokenStore.quiesce(new MqttException(MqttException.REASON_CODE_CLIENT_DISCONNECTING));
 

org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/internal/CommsReceiver.java

@@ -80,7 +80,12 @@ public void stop() {
 				if (!Thread.currentThread().equals(recThread)) {
 					try {
 						// Wait for the thread to finish.
-						recThread.join();
+						// It is always a good idea to set a timeout.
+						// WARNING: the timeout must be correlated with the
+						// socket read timeout.
+						// Unfortunately we cannot access the socket here to
+						// get its read timeout.
+						recThread.join(1500);
 					}
 					catch (InterruptedException ex) {
 					}
@@ -107,6 +112,7 @@ public void run() {
 				MqttWireMessage message = in.readMqttWireMessage();
 				receiving = false;
 
+				// instanceof checks if message is null
 				if (message instanceof MqttAck) {
 					token = tokenStore.getToken(message);
 					if (token!=null) {
@@ -123,8 +129,10 @@ public void run() {
 						throw new MqttException(MqttException.REASON_CODE_UNEXPECTED_ERROR);
 					}
 				} else {
-					// A new message has arrived
-					clientState.notifyReceivedMsg(message);
+					if (message != null) {
+						// A new message has arrived
+						clientState.notifyReceivedMsg(message);
+					}
 				}
 			}
 			catch (MqttException ex) {

org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/internal/SSLNetworkModule.java

@@ -86,10 +86,8 @@ public void start() throws IOException, MqttException {
 		super.start();
 		setEnabledCiphers(enabledCiphers);
 		int soTimeout = socket.getSoTimeout();
-		if ( soTimeout == 0 ) {
-			// RTC 765: Set a timeout to avoid the SSL handshake being blocked indefinitely
-			socket.setSoTimeout(this.handshakeTimeoutSecs*1000);
-		}
+		// RTC 765: Set a timeout to avoid the SSL handshake being blocked indefinitely
+		socket.setSoTimeout(this.handshakeTimeoutSecs*1000);
 		((SSLSocket)socket).startHandshake();
 		// reset timeout to default value
 		socket.setSoTimeout(soTimeout);   

org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/internal/TCPNetworkModule.java

@@ -67,6 +67,10 @@ public void start() throws IOException, MqttException {
 			log.fine(CLASS_NAME,methodName, "252", new Object[] {host, new Integer(port), new Long(conTimeout*1000)});
 			SocketAddress sockaddr = new InetSocketAddress(host, port);
 			socket = factory.createSocket();
+			// Set a read timeout on the socket.
+			// If you change the value here you should also change
+			// the value in CommsReceiver.stop().
+			socket.setSoTimeout(1000);
 			socket.connect(sockaddr, conTimeout*1000);
 
 			// SetTcpNoDelay was originally set ot true disabling Nagle's algorithm. 
@@ -93,6 +97,25 @@ public OutputStream getOutputStream() throws IOException {
 	 */
 	public void stop() throws IOException {
 		if (socket != null) {
+			// CDA: an attempt is made to stop the receiver cleanly before closing the socket.
+			// If the socket is forcibly closed too early, the blocking socket read in
+			// the receiver thread throws a SocketException.
+			// While this causes the receiver thread to exit, it also invalidates the
+			// SSL session preventing to perform an accelerated SSL handshake in the
+			// next connection.
+			//
+			// Also note that due to the blocking socket reads in the receiver thread,
+			// it's not possible to interrupt the thread. Using non blocking reads in
+			// combination with a socket timeout (see setSoTimeout()) would be a better approach.
+			//
+			// Please note that the Javadoc only says that an EOF is returned on
+			// subsequent reads of the socket stream.
+			// Anyway, at least with Oracle Java SE 7 on Linux systems, this causes a blocked read
+			// to return EOF immediately.
+			// This workaround should not cause any harm in general but you might
+			// want to move it in SSLNetworkModule.
+
+			socket.shutdownInput();
 			socket.close();
 		}
 	}