[
https://issues.apache.org/jira/browse/ARTEMIS-3038?focusedWorklogId=660427&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-660427
]
ASF GitHub Bot logged work on ARTEMIS-3038:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 05/Oct/21 16:30
Start Date: 05/Oct/21 16:30
Worklog Time Spent: 10m
Work Description: gemmellr opened a new pull request #3785:
URL: https://github.com/apache/activemq-artemis/pull/3785
Unwinds the effects of the RFC 2712 'Kerberos SSL ciphers' support added in
ARTEMIS-1264. The functionality was recommended against use even then, and was
removed entirely from JDK11. It has been disabled by default in JDK8 for a
while. OpenSSL removed its equivalent support in 2015. It is no longer being
tested, with the tests already removed
(a3de3d4c75ba1482706e8c42a5c9b0f9811901eb) since no modern JVMs can do it out
of the box.
The code has changed and moved around a lot since as the surrounding areas
were updated, other functionality added etc, so this was a case of making the
related unwinds rather than reverting what was added as such. The docs included
a note of the support, including mention it is insecure, though the specific
steps needed to configure and use it were seemingly never added.
Once #3696 lands this functionality becomes 100% defunct, but its largely
already unusable and shouldn't really be used anyway so I don't think this PR
needs to wait for that one.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 660427)
Remaining Estimate: 0h
Time Spent: 10m
> unwind defunct changes from ARTEMIS-1264
> ----------------------------------------
>
> Key: ARTEMIS-3038
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3038
> Project: ActiveMQ Artemis
> Issue Type: Task
> Affects Versions: 2.18.0
> Reporter: Clebert Suconic
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The changes made in ARTEMIS-1264 are essentially defunct and should be
> unwound. The Kerberos TLS cipher suites were already not recommended for use
> at the time due to being weak, they had already been removed entirely from
> Java 11 by then, and have been disabled by default in Java 8 releases for
> some time now, and do not work with TLS 1.3. OpenSSL removed the equivalent
> support from its source even earlier in May 2015,
> [https://mta.openssl.org/pipermail/openssl-users/2015-May/001406.html].
> The related tests have already been removed as they were failing, then
> ignored, and essentialy couldnt run anywhere. The non-test changes are now
> untested and essentially defunct already, but once releases require Java 11
> they will become entirely unusable.
>
> Originally described with
> "CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is
> failing.... I set the test with an ignore .. until we investigate what we
> should do."
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
