activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phil Pickett (JIRA)" <j...@apache.org>
Subject [jira] Issue Comment Edited: (AMQ-2384) The activeMQ port supports low and medium strength ciphers
Date Tue, 30 Mar 2010 19:57:10 GMT

    [ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58566#action_58566
] 

Phil Pickett edited comment on AMQ-2384 at 3/30/10 7:55 PM:
------------------------------------------------------------

ActiveMQ 5.3 based patch to implement transport's enabledCipherSuites option.

My activemq.xml is standard for 5.3 with the following additions:

        <amq:sslContext>
            <amq:sslContext
                protocol="SSLv3"
                keyStore="file:${activemq.base}/SSL/broker.ks" keyStorePassword="changeit"
                trustStore="file:${activemq.base}/SSL/client.ts" trustStorePassword="changeit"/>
        </amq:sslContext>

-- and --

        <transportConnectors>
            <transportConnector name="openwire" uri="ssl://0.0.0.0:61616?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"/>
        </transportConnectors>

My goal was to disable low ciphers as documented here for Tomcat:

http://www.cpug.org/forums/check-point-utm-1-appliances/11716-pci-vulnerability-assessment-report-utm-1-total-security-570-a.html

To test this, I used the ssl-cipher-check.pl script from http://www.unspecific.com/ssl/. 
With the above transport URI (and without the enabledCipherSuites option and the patch) the
script returns 22 total ciphers and 10 WEAK ciphers.  With the patch and the option, the script
returns 6 ciphers found.  See output below.

Phil

[phil@fedora12 perl]$ ./ssl-cipher-check.pl localhost 61616
Testing localhost:61616
   SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits 
   SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits 
** SSLv3:EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 56 bits **
   SSLv3:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits 
   SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits 
   SSLv3:RC4-SHA - ENABLED - STRONG 128 bits 
** SSLv3:EXP-EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
   SSLv3:AES128-SHA - ENABLED - STRONG 128 bits 

   TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits 
   TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits 
** TLSv1:EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 56 bits **
   TLSv1:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits 
   TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits 
   TLSv1:RC4-SHA - ENABLED - STRONG 128 bits 
** TLSv1:EXP-EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
   TLSv1:AES128-SHA - ENABLED - STRONG 128 bits 


WARNING: Self Signed Certificate
*WARNING* 10 WEAK Ciphers Enabled.
Total Ciphers Enabled: 22
[phil@fedora12 perl]$ ./ssl-cipher-check.pl localhost 61616
Testing localhost:61616
   SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits 
   SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits 
   SSLv3:RC4-SHA - ENABLED - STRONG 128 bits 

   TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits 
   TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits 
   TLSv1:RC4-SHA - ENABLED - STRONG 128 bits 


WARNING: Self Signed Certificate
Total Ciphers Enabled: 6


      was (Author: phil.pickett@springsource.com):
    ActiveMQ 5.3 based patch to implement transport's enabledCipherSuites option
  
> The activeMQ port supports low and medium strength ciphers 
> -----------------------------------------------------------
>
>                 Key: AMQ-2384
>                 URL: https://issues.apache.org/activemq/browse/AMQ-2384
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Connector
>    Affects Versions: 5.2.0
>         Environment: We are running the ActiveMQ 5.2.0  over a SLES 11 64 bit  machine.
In the configuration file activemq.xml there is no way to specify the supported ciphers. 
>            Reporter: Shrisha Chandrashekar
>            Assignee: Gary Tully
>             Fix For: 5.4.0
>
>         Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see
that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default.
This may be a security risk and therefore we need a way to specify which ciphers to support.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message