activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Cain (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-5407) TransportConnector nio+ssl ignores transport.enabledProtocols settings
Date Fri, 24 Oct 2014 16:14:34 GMT

    [ https://issues.apache.org/jira/browse/AMQ-5407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14182996#comment-14182996
] 

Brian Cain commented on AMQ-5407:
---------------------------------

[~tabish121] - thank you for such a quick response and fix! Do you have any time frame for
when AMQ 5.11.0 will be released? 

> TransportConnector nio+ssl ignores transport.enabledProtocols settings
> ----------------------------------------------------------------------
>
>                 Key: AMQ-5407
>                 URL: https://issues.apache.org/jira/browse/AMQ-5407
>             Project: ActiveMQ
>          Issue Type: Bug
>         Environment: Using ActiveMQ 5.9.0
>            Reporter: Brian Cain
>            Assignee: Timothy Bish
>             Fix For: 5.11.0
>
>
> If you are using nio+ssl and try to set specific protocols (i.e. TLS and not SSLv3) for
openwire and or stomp with ssl, NIO will ignore those settings and allow SSLv3 anyway.
> Setting specific transport protocols for activemq in my activemq.xml file:
> {noformat}
> <transportConnectors>
> <transportConnector name="openwire" uri="nio+ssl://0.0.0.0:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2">
> </transportConnector>
> <transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61613?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2">
> </transportConnector>
> {noformat}
> After changing this, I restarted activemq to ensure that those protocols were set correctly.
> With this setting in activemq.xml, activemq should not be able to do a successful SSLv3
handshake, however using s_connect with openssl, I am able to get activemq to respond with
SSLv3:
> {noformat}
> ###########
> # command run: openssl s_client -ssl3 -connect hostname.com:61616
> ###########
> ###########
> # this is what should be displayed
> ###########
> CONNECTED(00000003)
> 139975367284552:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL
alert number 40
> 139975367284552:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : SSLv3
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1414003656
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
> ---
> ###########
> # this is what is actually shown
> ###########
> CONNECTED(00000003)
> depth=0 CN = puppetmaster.local
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = puppetmaster.local
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 CN = puppetmaster.local
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=puppetmaster.local
>    i:/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFyzCCA7OgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMU8wTQYDVQQDDEZQdXBw
> ZXQgQ0EgZ2VuZXJhdGVkIG9uIHB1cHBldG1hc3Rlci5sb2NhbCBhdCAyMDE0LTEw
> LTIyIDExOjIwOjUyIC0wNzAwMB4XDTE0MTAyMTE4MjA1N1oXDTE5MTAyMTE4MjA1
> N1owHTEbMBkGA1UEAwwScHVwcGV0bWFzdGVyLmxvY2FsMIICIjANBgkqhkiG9w0B
> AQEFAAOCAg8AMIICCgKCAgEAyehXPWPLEuNkvvl0PHbz5cIbg4i7v51P0FzYfxR7
> sUt4455c4htfVpvEmWc1Ef5HD2MFViIAHorDMeGzNY2kAaX6xK2JVNhi8m8EJF7L
> C0LncN59p/DIc5XBl6fFGu8FGaEZ1wvRSOyitcsWCk5Gk8Oi8w56/xV7WVJJ1Lch
> PV62TZbKqDT8Ah/VcfIaCCWVCAB59/kIIGPJ8eI3aLdQv3f5h89ETiTr4yLtd1xm
> z25qqPV2JZIh1yAGBCjBGsE6L41eyckZy9Tl1JZaDTRfOiXK6SkaK8NTNNbuXeQT
> GkLusxpUL+FmisiH1ikazKZkyRuA0vMyQiakgUleVtACt4x+oLJ9askf5nx36wGu
> HcU5kaIuy2d8cLq2CD+FKLOdH10+KiMlxCtHny4pY15LIzs3F1wjqoeLwpcoQwoM
> 57Qnef8UNV0sQGlp/HkSxnhDwXh5mrXGLkpi11glTx4CIs7Yz8s7yC1FCvw8/wAi
> 3oDrmSAgidZXKd0MT+PT+4PTDHbC+p2TG6noX+GnrAjhKFKWyw31ue9pUMX/X2Az
> ExXiLFw2+zH+YsMNvHdTq4BM7G3s0tgQD3UQkWkDPk+0R3X14WDFTGUZ7oEb6Q+o
> /R+SE8W/rEwRw/O2tE6Xq063DyB4EYI+bVojpwtqOwyCNkbbC5aNnraUWfuXMWJB
> oqECAwEAAaOB4TCB3jA1BglghkgBhvhCAQ0EKFB1cHBldCBSdWJ5L09wZW5TU0wg
> SW50ZXJuYWwgQ2VydGlmaWNhdGUwJQYDVR0RBB4wHIIGcHVwcGV0ghJwdXBwZXRt
> YXN0ZXIubG9jYWwwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQGCCsGAQUF
> BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQSS72jRveOqBkQ
> TbLxTT2j5DWLPDAfBgNVHSMEGDAWgBRKtJ+dt+VxU6IwhHMYMAY78E7BOTANBgkq
> hkiG9w0BAQsFAAOCAgEATFMfxi1jFbnvTxiArZrL0RsA2mgBoU3p6gYhthmBWfzz
> 7OscRacWx7CvBXGdKi3oc2uyNVIsazS30Yw5vcfoTqUAT9TdsDLMf10h9AYp15ut
> K1ebZUc9OIf00+zF/IT/+CFXM9eKzgBxs6fKUKCKngI+kDYRD+h5qmAhUCeAAR9B
> +3kb8UV064Nlmla+x4zOZBzb+VSMWKSet/Sv4pMHusX2+ICvy0cRwwKmaVTzQVDS
> uTNlElYUM0xRXb10tS95j4S7MSYkKu2VHLD5F5LB8KxjhCcorwa323DnCQkywJLQ
> 3S1UUH3recjoLeD9Huj8+EL7uEvQdloRPbS/2cWFKkJgXYc5t7yC7Dp8qKNzTuNy
> COp68xunNPHh/JcS3wo4F/H7t2ve5IFnca4H/kSvLQWOQzmLfOrNhkn6ZJkqqGMo
> zf2LHVvJpfAUV6ezR1O0i70GR3YkNIijok14WMinDOXN98VLMp0j9zWm5aBF5Chg
> zRFIvrvz/NbwMtawZ/QD/B+kOolfKCNku9xkQ6wrHj6GikH4GYwWzfTZmpaOE4GC
> Dm8Axn5Ax+psLO10N4xwSxeB/zzygD4wDsQxP0kRg6lFIVQgfKmaJA07IcotCL9p
> M4ugQDGnWAjzBRqbvh5x37dc15C8F3fluSxC4yq5jv0EVeXooZISigG6Sr3rhpE=
> -----END CERTIFICATE-----
> subject=/CN=puppetmaster.local
> issuer=/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2474 bytes and written 322 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : SSLv3
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID: 5447F9BA158D679AE17BAD85A384B43C5B1EE597F7F0AAC01418156FC9E08924
>     Session-ID-ctx:
>     Master-Key: 96B8081CB3EC675CF2CDD0546435760871491908C10E36E8ECA622155FFE4CAA0F851DC95F63C2C476727EDC985B2DD7
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1414003130
>     Timeout   : 7200 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> �ActiveMQ
> �
>         MaxFrameSize�������  CacheSize
>                                          CacheEnabledSizePrefixDisabled MaxInactivityDurationInitalDelay'TcpNoDelayEnabledMaxInactivityDurationu0TightEncodingEnabledStackTraceEnabled
> {noformat}
> Removing nio from both the stomp and openwire transport connector settings (and restarting
activemq) actually removes the ability to talk over SSLv3 using the technique I posted before,
however putting nio back in ignores those transport connector settings and allows SSLv3.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message