[
https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17262641#comment-17262641
]
Robbie Gemmell edited comment on ARTEMIS-3038 at 1/11/21, 1:32 PM:
-------------------------------------------------------------------
The old KRB5 cipher suites wont be updated, the support of them was removed
entirely when support for TLS 1.3 was being added in JDK11, from
[http://openjdk.java.net/jeps/332]:
{quote}Additionally, the KRB5 cipher suites will be removed from the JDK
because they are no longer considered safe to use.
{quote}
I excluded the overall test from running on JDK11+ in
[https://github.com/apache/activemq-artemis/commit/50bf1ef] since it could
never work there. Presumably newer JDK 8's also disabled the ciphers by default
since the test was added, like other older ciphers periodically get disabled by
default. Alternatively, maybe they were also removed entirely when TLS 1.3 was
backported to Java 8 recently. Checking
[https://bugs.openjdk.java.net/browse/JDK-8248721] for the backport, it says
they are not suported with TLS 1.3 but the backport was modified so they were
retained for prior TLS versions but are now disabled by default.
The test could be made conditional with a junit assumption on Java 8, e.g
create an SSLEngine and verify whether the cipher is supported and
enabled.Though if the ciphers are disabled by default on all recent JDKs, it
will then just never run without additional trickery.
Alternatively, since the client itself is likely to be largely unaware of and
unimportant to this feature being used given it is part of the TLS process, and
the ciphers requried have long not been recommended to be used, and the test is
already entirely disabled at the current time by
[https://github.com/apache/activemq-artemis/commit/4e2eda82f33e5cb2266df0fcc2512d9bb5185054],
perhaps the test should simply just be removed and the feature forgotten about.
(EDIT: to be clearer, I think the latter: burn it)
was (Author: gemmellr):
The old KRB5 cipher suites wont be updated, the support of them was removed
entirely when support for TLS 1.3 was being added in JDK11, from
[http://openjdk.java.net/jeps/332]:
{quote}
Additionally, the KRB5 cipher suites will be removed from the JDK because they
are no longer considered safe to use.
{quote}
I excluded the overall test from running on JDK11+ in
[https://github.com/apache/activemq-artemis/commit/50bf1ef] since it could
never work there. Presumably newer JDK 8's also disabled the ciphers by default
since the test was added, like other older ciphers periodically get disabled by
default. Alternatively, maybe they were also removed entirely when TLS 1.3 was
backported to Java 8 recently. Checking
[https://bugs.openjdk.java.net/browse/JDK-8248721] for the backport, it says
they are not suported with TLS 1.3 but the backport was modified so they were
retained for prior TLS versions but are now disabled by default.
The test could be made conditional with a junit assumption on Java 8, e.g
create an SSLEngine and verify whether the cipher is supported and
enabled.Though if the ciphers are disabled by default on all recent JDKs, it
will then just never run without additional trickery.
Alternatively, since the client itself is likely to be largely unaware of and
unimportant to this feature being used given it is part of the TLS process, and
the ciphers requried have long not been recommended to be used, and the test is
already entirely disabled at the current time by
https://github.com/apache/activemq-artemis/commit/4e2eda82f33e5cb2266df0fcc2512d9bb5185054,
perhaps the test should simply just be removed and the feature forgotten about.
> Investigate
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
> -----------------------------------------------------------------------------------
>
> Key: ARTEMIS-3038
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3038
> Project: ActiveMQ Artemis
> Issue Type: Task
> Reporter: Clebert Suconic
> Assignee: Gary Tully
> Priority: Major
>
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is
> failing because of:
>
> [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html]
>
> I set the test with an ignore .. until we investigate what we should do.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
