qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (Jira)" <j...@apache.org>
Subject [jira] [Commented] (QPID-8354) [Broker-J][JMS AMQP 0-x] Backlist TLSv1.1
Date Fri, 20 Sep 2019 10:13:00 GMT

    [ https://issues.apache.org/jira/browse/QPID-8354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934269#comment-16934269
] 

ASF GitHub Bot commented on QPID-8354:
--------------------------------------

alex-rufous commented on issue #37: QPID-8354 Blacklist TLSv1.1
URL: https://github.com/apache/qpid-broker-j/pull/37#issuecomment-533495226
 
 
   Tomas,
   The suggested changes look good to me.
   
   Though, I would add a positive test for TLSv1.3 in order to be consistent with the rest
of the test code. The challenge here is to identify java version in order to add assumption
checks to the tests . I would go with a very simplistic approach, for example, try to load
any new class which was introduced in java 11. Here is the code for my suggestion;
   `
       private boolean isJava11OrAbove()
       {
           try
           {
               // introduced in java 11
               Class.forName("java.net.http.HttpClient");
               return true;
           }
           catch (ClassNotFoundException e)
           {
               return false;
           }
       }
   `
   Using the above you can write tests as illustrated below
   @Test
       public void testTLSv1_3SupportOnSSLOnlyPort() throws Exception
       {
           assumeThat("Java 11 or above is required", isJava11OrAbove(), is(true));
           checkSSLExcluded("TLSv1.3", Transport.SSL);
       }`
   `
   
   Also, as you started to refactor test code, I would like to suggest to rename test method
`#checkSSLExcluded` into `checkHandshakeWithTlsProtocol`. I think, it would be a better name,
which would be telling exactly what method does.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> [Broker-J][JMS AMQP 0-x] Backlist TLSv1.1
> -----------------------------------------
>
>                 Key: QPID-8354
>                 URL: https://issues.apache.org/jira/browse/QPID-8354
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J, JMS AMQP 0-x
>            Reporter: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-8.0.0, qpid-java-broker-7.1.5
>
>
> The TLSv1.1 is allowed by default for establishing TLS connectivity in both Qpid Broker-J
and legacy JMS client for AMQP 0-x. TLS 1.0 is already blacklisted in both products.  We can
consider restricting allowed TLS protocols to TLSv1.2 and TLSv1.3 by default. The TLSv1.2
can be used with JDK8-10 and TLSv1.3 can be used with JDK 11 and above.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message