activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clebertsuco...@apache.org
Subject [1/4] activemq-6 git commit: ACTIVEMQ6-36 Disallow SSLv3 for POODLE
Date Mon, 17 Nov 2014 19:59:06 GMT
Repository: activemq-6
Updated Branches:
  refs/heads/master 9045ddd7b -> fdf1a1a26


ACTIVEMQ6-36 Disallow SSLv3 for POODLE


Project: http://git-wip-us.apache.org/repos/asf/activemq-6/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-6/commit/36d86ffb
Tree: http://git-wip-us.apache.org/repos/asf/activemq-6/tree/36d86ffb
Diff: http://git-wip-us.apache.org/repos/asf/activemq-6/diff/36d86ffb

Branch: refs/heads/master
Commit: 36d86ffb00f6f152ed6daf7cf16f6f1556573ba7
Parents: 9045ddd
Author: jbertram <jbertram@redhat.com>
Authored: Mon Nov 17 13:37:51 2014 -0600
Committer: jbertram <jbertram@redhat.com>
Committed: Mon Nov 17 13:37:51 2014 -0600

----------------------------------------------------------------------
 .../core/remoting/impl/netty/NettyAcceptor.java | 17 +++++++++++++++
 .../core/server/HornetQServerLogger.java        |  6 +++++
 .../ssl/CoreClientOverOneWaySSLTest.java        | 23 ++++++++++++++++++++
 3 files changed, 46 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-6/blob/36d86ffb/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
----------------------------------------------------------------------
diff --git a/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
b/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
index 661d6a7..614e19a 100644
--- a/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
@@ -19,8 +19,10 @@ import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ScheduledExecutorService;
@@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor
                   engine.setEnabledProtocols(originalProtocols);
                }
 
+               // Strip "SSLv3" from the current enabled protocols to address the POODLE
exploit.
+               // This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
+               String[] protocols = engine.getEnabledProtocols();
+               Set<String> set = new HashSet<>();
+               for (String s : protocols)
+               {
+                  if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
+                  {
+                     HornetQServerLogger.LOGGER.disallowedProtocol(s);
+                     continue;
+                  }
+                  set.add(s);
+               }
+               engine.setEnabledProtocols(set.toArray(new String[0]));
+
                SslHandler handler = new SslHandler(engine);
 
                pipeline.addLast("ssl", handler);

http://git-wip-us.apache.org/repos/asf/activemq-6/blob/36d86ffb/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
----------------------------------------------------------------------
diff --git a/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
b/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
index 0399b4b..9a6b1a0 100644
--- a/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
@@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
          format = Message.Format.MESSAGE_FORMAT)
    void activateSharedStoreSlaveFailed(@Cause Throwable e);
 
+   @LogMessage(level = Logger.Level.WARN)
+   @Message(id = 222190,
+         value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
for more details.",
+         format = Message.Format.MESSAGE_FORMAT)
+   void disallowedProtocol(String protocol);
+
    @LogMessage(level = Logger.Level.ERROR)
    @Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
    void initializationError(@Cause Throwable e);

http://git-wip-us.apache.org/repos/asf/activemq-6/blob/36d86ffb/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
b/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
index 8144447..7a7e903 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
@@ -251,6 +251,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase
    }
 
    @Test
+   // http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
+   public void testPOODLE() throws Exception
+   {
+      createCustomSslServer(null, "SSLv3");
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
+
+      ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
+      try
+      {
+         createSessionFactory(locator);
+         Assert.fail();
+      }
+      catch (HornetQNotConnectedException e)
+      {
+         Assert.assertTrue(true);
+      }
+   }
+
+   @Test
    public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
    {
       createCustomSslServer();


Mime
View raw message