[jira] [Work logged] (AMQ-9431) Don’t add Bouncycastle as Security Provider when found on the Classpath

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/AMQ-9431?focusedWorklogId=907943&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907943
 ]

ASF GitHub Bot logged work on AMQ-9431:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Mar/24 16:02
            Start Date: 03/Mar/24 16:02
    Worklog Time Spent: 10m 
      Work Description: jbonofre merged PR #1165:
URL: https://github.com/apache/activemq/pull/1165




Issue Time Tracking
-------------------

    Worklog Id:     (was: 907943)
    Time Spent: 20m  (was: 10m)

> Don’t add Bouncycastle as Security Provider when found on the Classpath
> -----------------------------------------------------------------------
>
>                 Key: AMQ-9431
>                 URL: https://issues.apache.org/jira/browse/AMQ-9431
>             Project: ActiveMQ Classic
>          Issue Type: Improvement
>          Components: Broker
>            Reporter: Stefan Ferstl
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 6.1.0, 5.18.4, 5.17.7, 6.0.2
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When Bouncycastle (bcprov) is on the classpath, the class 
> {{org.apache.activemq.broker.BrokerService}} automatically adds Bouncycastle 
> as security provider at the end of the JVM's provider chain without the 
> ability to prevent it: 
> https://github.com/apache/activemq/blob/main/activemq-broker/src/main/java/org/apache/activemq/broker/BrokerService.java#L282
>  .
> When ActiveMQ is embedded in an application, this is quite an invasive step 
> and can lead to unexpected behavior if the application does not expect 
> Bouncycastle as security provider.
> Looking at the commit history, this was introduced in May 2013 with AMQ-4520 
> to address problems with the TLS implementation in JDK 7. The Jira issue 
> references another issue in the activemq-apollo project where similar 
> problems with JDK 7 are mentioned: APLO-287. Apollo fixed these problems by 
> adding Bouncycastle at the second position in the provider chain. In AMQ-4520 
> the same fix was introduced in {{{}BrokerService{}}}.
> In May 2016, the position of Bouncycastle in the provider chain was made 
> configurable by a system property with AMQ-6247 due to side effects of the 
> original fix. The default was still the second position.
> In January 2020 the default position was changed form 2 to the end of the 
> provider chain with AMQ-7142.
> Since this feature was initially introduced to address problems in JDK 7 and 
> was subsequently causing problems in the years after (hence the other two 
> changes in 2016 and 2020) I suggest to remove this feature completely or to 
> at least allow disabling it by setting a system property.
> I'll be happy to help with a PR if needed.
> This issue affects all versions since the introduction of this feature.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)