Stefan Ferstl created AMQ-9431:
----------------------------------
Summary: Don’t add Bouncycastle as Security Provider when found on
the Classpath
Key: AMQ-9431
URL: https://issues.apache.org/jira/browse/AMQ-9431
Project: ActiveMQ
Issue Type: Improvement
Components: Broker
Reporter: Stefan Ferstl
When Bouncycastle (bcprov) is on the classpath, the class
{{org.apache.activemq.broker.BrokerService}} automatically adds Bouncycastle as
security provider at the end of the JVM's provider chain without the ability to
prevent it:
https://github.com/apache/activemq/blob/main/activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java#L282
.
When ActiveMQ is embedded in an application, this is quite an invasive step and
can lead to unexpected behavior if the application does not expect Bouncycastle
as security provider.
Looking at the commit history, this was introduced in May 2013 with AMQ-4520 to
address problems with the TLS implementation in JDK 7. The Jira issue
references another issue in the activemq-apollo project where similar problems
with JDK 7 are mentioned: APLO-287. Apollo fixed these problems by adding
Bouncycastle at the second position in the provider chain. In AMQ-4520 the same
fix was introduced in {{{}BrokerService{}}}.
In May 2016, the position of Bouncycastle in the provider chain was made
configurable by a system property with AMQ-6247 due to side effects of the
original fix. The default was still the second position.
In January 2020 the default position was changed form 2 to the end of the
provider chain with AMQ-7142.
Since this feature was initially introduced to address problems in JDK 7 and
was subsequently causing problems in the years after (hence the other two
changes in 2016 and 2020) I suggest to remove this feature completely or to at
least allow disabling it by setting a system property.
I'll be happy to help with a PR if needed.
This issue affects all versions since the introduction of this feature.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
