[
https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258936#comment-17258936
]
Gary Tully edited comment on ARTEMIS-3038 at 1/7/21, 12:19 PM:
---------------------------------------------------------------
The first problem (and it may be sufficient) is that the
[3DES_EDE_CBC|https://www.java.com/en/configure_crypto.html#3DESONTLS ] cipher
suite is disabled by default in the jdk and this requires modifications to the
java.security policy file property to enable via {{jdk.tls.disabledAlgorithms
}}which is not something we would want to do to our platform jdk installs going
forward.
There is no other supported KRB5 TLS cypher suite that is considered secure
that can be used as an alternative and I don't think the KRB5 suites will get
further updated. SASL provides a better way to encapsulate the KRB5
negotiation, all be that it is only available on AMQP.
I think we can leave this ignored for now and delete this test in the next
release. There is some further problem with the host name resolution but I
think that is related to dns.
was (Author: gtully):
The first problem (and it may be sufficient) is that the
[3DES_EDE_CBC|[https://www.java.com/en/configure_crypto.html#3DESONTLS] ]
cipher suite is disabled by default in the jdk and this requires modifications
to the java.security policy file property to enable via
{{jdk.tls.disabledAlgorithms }}which is not something we would want to do to
our platform jdk installs going forward.
There is no other supported KRB5 TLS cypher suite that is considered secure
that can be used as an alternative and I don't think the KRB5 suites will get
further updated. SASL provides a better way to encapsulate the KRB5
negotiation, all be that it is only available on AMQP.
I think we can leave this ignored for now and delete this test in the next
release. There is some further problem with the host name resolution but I
think that is related to dns.
> Investigate
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
> -----------------------------------------------------------------------------------
>
> Key: ARTEMIS-3038
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3038
> Project: ActiveMQ Artemis
> Issue Type: Task
> Reporter: Clebert Suconic
> Assignee: Gary Tully
> Priority: Major
>
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is
> failing because of:
>
> [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html]
>
> I set the test with an ignore .. until we investigate what we should do.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
