[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17344561#comment-17344561 ] Gary Tully commented on ARTEMIS-3038: - I think unwound and removed is best, there is little point in having untest code in the mix and there is probably a small performance gain on accepting connections to be had with the code removed. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17344536#comment-17344536 ] Robbie Gemmell commented on ARTEMIS-3038: - I am leaving this Jira open regardless of removing the test though, for consideration of whether any of the (more substantial than expected) non-test-class changes from ARTEMIS-1264 should be left in place as they have so far, or actually be unwound and removed as well considering they are entirely untested, unusable either by default (Java 8) or at all (Java 11+) on any recent JVM, and long not recommended for use. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17344535#comment-17344535 ] Robbie Gemmell commented on ARTEMIS-3038: - I removed the test class and a related exclusion in the above commit just to tidy out ARTEMIS-2813 fully, given the test couldn't be run currently and all discussion here was toward removing it. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17344532#comment-17344532 ] ASF subversion and git services commented on ARTEMIS-3038: -- Commit a3de3d4c75ba1482706e8c42a5c9b0f9811901eb in activemq-artemis's branch refs/heads/main from Robbie Gemmell [ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=a3de3d4 ] ARTEMIS-3038, ARTEMIS-2813: remove the CoreClientOverOneWaySSLKerb5Test test class - It is already entirely disabled one or more ways depending on what JVM is in use. - If enabled on any modern JVM it would either fail by default or can never work, as the related ciphers it requires have been disabled (8) or entirely removed (11+) due to being considered unsuitable for use. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17262783#comment-17262783 ] Clebert Suconic commented on ARTEMIS-3038: -- >> it should just be removed << That's all I wanted to hear from this discussion... I thought you were arguing to keep it.. so it shall be gone! :) > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17262735#comment-17262735 ] Robbie Gemmell commented on ARTEMIS-3038: - I understand the test fails in newer 8+ envs where it was disabled by default (or would in 11+ where it isnt supported, if I hadnt disabled it)...as in my first reply, while you could change to test to accommodate for that so it only runs in situations the functionality is available, I think that would just be silly (since we wont really run it in old JDK8 envs where it would just work by default, and we wouldn't [want to] tweak the newer JDK8 envs/settings to make sure it could run, plus its really testing something entirely independent of the client anyway, and its something which people shouldnt really use anymore) and so I absolutely agree it should just be removed. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17262715#comment-17262715 ] Clebert Suconic commented on ARTEMIS-3038: -- [~robbie] the issue is that not every JDK 1.8 has the cipher... it was removed on latest minor releases... I think we should just remove the test. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17262704#comment-17262704 ] Robbie Gemmell commented on ARTEMIS-3038: - I believe the ciphers are still there in JDK8 (or were when the TLS 1.3 backport work was done mid last year, for release later in the year) per the JIRA, and its just that at some point they were disabled by default, i.e a SSLEngine will probably have them listed as supported-protocols but not enabled-procotols, unless explicitly enabled. JDK11 did absolutely remove them though though so they are long gone from that perspective either way, and were not recommended even in eary JDK8. I'd delete the test and forget it existed. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17262645#comment-17262645 ] Clebert Suconic commented on ARTEMIS-3038: -- [~robbie] the cipher was removed on newer java8 as well. the last I have seen it working was 1.8.18 or 22 (don't remember now).. newer versions won't have the cipher. > Investigate > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite > --- > > Key: ARTEMIS-3038 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3038 > Project: ActiveMQ Artemis > Issue Type: Task >Reporter: Clebert Suconic >Assignee: Gary Tully >Priority: Major > > CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is > failing because of: > > [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html] > > I set the test with an ignore .. until we investigate what we should do. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[
https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17262641#comment-17262641
]
Robbie Gemmell commented on ARTEMIS-3038:
-
The old KRB5 cipher suites wont be updated, the support of them was removed
entirely when support for TLS 1.3 was being added in JDK11, from
[http://openjdk.java.net/jeps/332]:
{quote}
Additionally, the KRB5 cipher suites will be removed from the JDK because they
are no longer considered safe to use.
{quote}
I excluded the overall test from running on JDK11+ in
[https://github.com/apache/activemq-artemis/commit/50bf1ef] since it could
never work there. Presumably newer JDK 8's also disabled the ciphers by default
since the test was added, like other older ciphers periodically get disabled by
default. Alternatively, maybe they were also removed entirely when TLS 1.3 was
backported to Java 8 recently. Checking
[https://bugs.openjdk.java.net/browse/JDK-8248721] for the backport, it says
they are not suported with TLS 1.3 but the backport was modified so they were
retained for prior TLS versions but are now disabled by default.
The test could be made conditional with a junit assumption on Java 8, e.g
create an SSLEngine and verify whether the cipher is supported and
enabled.Though if the ciphers are disabled by default on all recent JDKs, it
will then just never run without additional trickery.
Alternatively, since the client itself is likely to be largely unaware of and
unimportant to this feature being used given it is part of the TLS process, and
the ciphers requried have long not been recommended to be used, and the test is
already entirely disabled at the current time by
https://github.com/apache/activemq-artemis/commit/4e2eda82f33e5cb2266df0fcc2512d9bb5185054,
perhaps the test should simply just be removed and the feature forgotten about.
> Investigate
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
> ---
>
> Key: ARTEMIS-3038
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3038
> Project: ActiveMQ Artemis
> Issue Type: Task
>Reporter: Clebert Suconic
>Assignee: Gary Tully
>Priority: Major
>
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is
> failing because of:
>
> [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html]
>
> I set the test with an ignore .. until we investigate what we should do.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
[
https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17258936#comment-17258936
]
Gary Tully commented on ARTEMIS-3038:
-
The first problem (and it may be sufficient) is that the
[3DES_EDE_CBC|[https://www.java.com/en/configure_crypto.html#3DESONTLS] ]
cipher suite is disabled by default in the jdk and this requires modifications
to the java.security policy file property to enable via
{{jdk.tls.disabledAlgorithms }}which is not something we would want to do to
our platform jdk installs going forward.
There is no other supported KRB5 TLS cypher suite that is considered secure
that can be used as an alternative and I don't think the KRB5 suites will get
further updated. SASL provides a better way to encapsulate the KRB5
negotiation, all be that it is only available on AMQP.
I think we can leave this ignored for now and delete this test in the next
release. There is some further problem with the host name resolution but I
think that is related to dns.
> Investigate
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
> ---
>
> Key: ARTEMIS-3038
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3038
> Project: ActiveMQ Artemis
> Issue Type: Task
>Reporter: Clebert Suconic
>Assignee: Gary Tully
>Priority: Major
>
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is
> failing because of:
>
> [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html]
>
> I set the test with an ignore .. until we investigate what we should do.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
