oehf · alexandruti · Apr 1, 2020
diff --git a/...s/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java b/...s/audit/src/main/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImpl.java
@@ -15,6 +15,7 @@
  */
 package org.openehealth.ipf.commons.audit.protocol;
 
+import javax.net.ssl.SSLParameters;
 import org.openehealth.ipf.commons.audit.AuditContext;
 import org.openehealth.ipf.commons.audit.AuditException;
 import org.openehealth.ipf.commons.audit.utils.AuditUtils;
@@ -59,10 +60,12 @@ public class TLSSyslogSenderImpl extends RFC5424Protocol implements AuditTransmi
     private static final Logger LOG = LoggerFactory.getLogger(TLSSyslogSenderImpl.class);
     private static final int MIN_SO_TIMEOUT = 1;
     private static final Boolean DEFAULT_SOCKET_KEEPALIVE = Boolean.TRUE;
+    private static final String ENDPOINT_IDENTIFICATION_ALGORITHM_HTTPS = "HTTPS";
 
     private final AtomicReference<Socket> socket = new AtomicReference<>();
     private final SocketFactory socketFactory;
     private final SocketTestPolicy socketTestPolicy;
+    private final Boolean performDomainValidation;
 
     /**
      * Constructor which uses default values for all parameters.
@@ -75,6 +78,11 @@ public TLSSyslogSenderImpl(SocketTestPolicy socketTestPolicy) {
         this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketTestPolicy);
     }
 
+    public TLSSyslogSenderImpl(Boolean performDomainValidation) {
+        this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), (SSLSocketFactory)SSLSocketFactory.getDefault(),
+            SocketTestPolicy.TEST_BEFORE_WRITE, performDomainValidation);
+    }
+
     /**
      * @param socketFactory SSL socket factory to be used for creating the TCP
      *                      socket.
@@ -95,6 +103,18 @@ public TLSSyslogSenderImpl(SSLSocketFactory socketFactory, SocketTestPolicy sock
         this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketFactory, socketTestPolicy);
     }
 
+    /**
+     *
+     * @param socketFactory           SSL socket factory to be used for creating the TCP
+     *                                socket.
+     * @param socketTestPolicy        Determining if and when to test the socket for a
+     *                                connection close/reset
+     * @param performDomainValidation Determining if domain validation should be performed
+     */
+    public TLSSyslogSenderImpl(SSLSocketFactory socketFactory, SocketTestPolicy socketTestPolicy, Boolean performDomainValidation) {
+        this(AuditUtils.getLocalHostName(), AuditUtils.getProcessId(), socketFactory, socketTestPolicy, performDomainValidation);
+    }
+
     /**
      * @param sendingHost    value of the SYSLOG header "HOSTNAME"
      * @param sendingProcess value of the SYSLOG header "APP-NAME"
@@ -113,6 +133,7 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SocketTest
         super(sendingHost, sendingProcess);
         this.socketFactory = SSLSocketFactory.getDefault();
         this.socketTestPolicy = socketTestPolicy;
+        this.performDomainValidation = Boolean.FALSE;
     }
 
     /**
@@ -125,6 +146,7 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketF
         super(sendingHost, sendingProcess);
         this.socketFactory = Objects.requireNonNull(socketFactory);
         this.socketTestPolicy = SocketTestPolicy.TEST_BEFORE_WRITE;
+        this.performDomainValidation = Boolean.FALSE;
     }
 
     /**
@@ -140,6 +162,24 @@ public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketF
         super(sendingHost, sendingProcess);
         this.socketFactory = Objects.requireNonNull(socketFactory);
         this.socketTestPolicy = socketTestPolicy;
+        this.performDomainValidation = Boolean.FALSE;
+    }
+
+    /**
+     * @param sendingHost             value of the SYSLOG header "HOSTNAME"
+     * @param sendingProcess          value of the SYSLOG header "APP-NAME"
+     * @param socketFactory           SSL socket factory to be used for creating the TCP
+     *                                socket.
+     * @param socketTestPolicy        Determining if and when to test the socket for a
+     *                                connection close/reset
+     * @param performDomainValidation Determining if domain validation should be performed
+     */
+    public TLSSyslogSenderImpl(String sendingHost, String sendingProcess, SSLSocketFactory socketFactory,
+        SocketTestPolicy socketTestPolicy, Boolean performDomainValidation) {
+        super(sendingHost, sendingProcess);
+        this.socketFactory = Objects.requireNonNull(socketFactory);
+        this.socketTestPolicy = socketTestPolicy;
+        this.performDomainValidation = performDomainValidation;
     }
 
     @Override
@@ -265,9 +305,15 @@ private Socket getTLSSocket(AuditContext auditContext) {
      * @param socket Socket to configure
      * @throws SocketException
      */
-    protected void setSocketOptions(final Socket socket) throws SocketException {
+    protected void setSocketOptions(final SSLSocket socket) throws SocketException {
         Objects.requireNonNull(socket);
         socket.setKeepAlive(DEFAULT_SOCKET_KEEPALIVE);
+
+        if(performDomainValidation) {
+            SSLParameters sslParams = new SSLParameters();
+            sslParams.setEndpointIdentificationAlgorithm(ENDPOINT_IDENTIFICATION_ALGORITHM_HTTPS);
+            socket.setSSLParameters(sslParams);
+        }
     }
 
     /**

diff --git a/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java b/commons/audit/src/test/java/org/openehealth/ipf/commons/audit/TLSAuditorIntegrationTest.java
@@ -71,4 +71,20 @@ public void testTwoWayTLSInterrupted(TestContext testContext) throws Exception {
         async.awaitSuccess(WAIT_TIME);
     }
 
+    @Test
+    public void testTwoWayTLSWithDomainVerification(TestContext testContext) throws Exception {
+        initTLSSystemProperties(null);
+        auditContext.setAuditTransmissionProtocol(new TLSSyslogSenderImpl(true));
+        int count = 10;
+        Async async = testContext.async(count);
+        deploy(testContext, createTCPServerTwoWayTLS(port,
+            TRUST_STORE,
+            TRUST_STORE_PASS,
+            SERVER_KEY_STORE,
+            SERVER_KEY_STORE_PASS,
+            async));
+        for (int i = 0; i < count; i++) sendAudit();
+        async.awaitSuccess(WAIT_TIME);
+    }
+
 }
diff --git a/...dit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java b/...dit/src/test/java/org/openehealth/ipf/commons/audit/protocol/TLSSyslogSenderImplTest.java
@@ -252,7 +252,7 @@ public SocketOptionOverrideTLSSyslogSenderImpl(String sendingHost, String sendin
         }
 
         @Override
-        protected void setSocketOptions(final Socket socket) throws SocketException {
+        protected void setSocketOptions(final SSLSocket socket) throws SocketException {
             super.setSocketOptions(socket);
             socket.setReceiveBufferSize(5);
         }

diff --git a/commons/audit/src/test/resources/security/ca.keystore b/commons/audit/src/test/resources/security/ca.keystore
diff --git a/commons/audit/src/test/resources/security/server.keystore b/commons/audit/src/test/resources/security/server.keystore