[jira] [Updated] (AMQ-9431) Don’t add Bouncycastle as Security Provider when found on the Classpath

[Jira]

     [ 
https://issues.apache.org/jira/browse/AMQ-9431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Baptiste Onofré updated AMQ-9431:
--------------------------------------
    Fix Version/s: 5.18.4
                   5.17.7
                   6.0.2

> Don’t add Bouncycastle as Security Provider when found on the Classpath
> -----------------------------------------------------------------------
>
>                 Key: AMQ-9431
>                 URL: https://issues.apache.org/jira/browse/AMQ-9431
>             Project: ActiveMQ Classic
>          Issue Type: Improvement
>          Components: Broker
>            Reporter: Stefan Ferstl
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 6.1.0, 5.18.4, 5.17.7, 6.0.2
>
>
> When Bouncycastle (bcprov) is on the classpath, the class 
> {{org.apache.activemq.broker.BrokerService}} automatically adds Bouncycastle 
> as security provider at the end of the JVM's provider chain without the 
> ability to prevent it: 
> https://github.com/apache/activemq/blob/main/activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java#L282
>  .
> When ActiveMQ is embedded in an application, this is quite an invasive step 
> and can lead to unexpected behavior if the application does not expect 
> Bouncycastle as security provider.
> Looking at the commit history, this was introduced in May 2013 with AMQ-4520 
> to address problems with the TLS implementation in JDK 7. The Jira issue 
> references another issue in the activemq-apollo project where similar 
> problems with JDK 7 are mentioned: APLO-287. Apollo fixed these problems by 
> adding Bouncycastle at the second position in the provider chain. In AMQ-4520 
> the same fix was introduced in {{{}BrokerService{}}}.
> In May 2016, the position of Bouncycastle in the provider chain was made 
> configurable by a system property with AMQ-6247 due to side effects of the 
> original fix. The default was still the second position.
> In January 2020 the default position was changed form 2 to the end of the 
> provider chain with AMQ-7142.
> Since this feature was initially introduced to address problems in JDK 7 and 
> was subsequently causing problems in the years after (hence the other two 
> changes in 2016 and 2020) I suggest to remove this feature completely or to 
> at least allow disabling it by setting a system property.
> I'll be happy to help with a PR if needed.
> This issue affects all versions since the introduction of this feature.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)