Repository: activemq-6 Updated Branches: refs/heads/master 9045ddd7b -> fdf1a1a26
ACTIVEMQ6-36 Disallow SSLv3 for POODLE Project: http://git-wip-us.apache.org/repos/asf/activemq-6/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq-6/commit/36d86ffb Tree: http://git-wip-us.apache.org/repos/asf/activemq-6/tree/36d86ffb Diff: http://git-wip-us.apache.org/repos/asf/activemq-6/diff/36d86ffb Branch: refs/heads/master Commit: 36d86ffb00f6f152ed6daf7cf16f6f1556573ba7 Parents: 9045ddd Author: jbertram <jbert...@redhat.com> Authored: Mon Nov 17 13:37:51 2014 -0600 Committer: jbertram <jbert...@redhat.com> Committed: Mon Nov 17 13:37:51 2014 -0600 ---------------------------------------------------------------------- .../core/remoting/impl/netty/NettyAcceptor.java | 17 +++++++++++++++ .../core/server/HornetQServerLogger.java | 6 +++++ .../ssl/CoreClientOverOneWaySSLTest.java | 23 ++++++++++++++++++++ 3 files changed, 46 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq-6/blob/36d86ffb/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java ---------------------------------------------------------------------- diff --git a/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java b/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java index 661d6a7..614e19a 100644 --- a/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java +++ b/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java @@ -19,8 +19,10 @@ import java.net.InetSocketAddress; import java.net.SocketAddress; import java.security.AccessController; import java.security.PrivilegedAction; +import java.util.HashSet; import java.util.Iterator; import java.util.Map; +import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import java.util.concurrent.ScheduledExecutorService; @@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor engine.setEnabledProtocols(originalProtocols); } + // Strip "SSLv3" from the current enabled protocols to address the POODLE exploit. + // This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html + String[] protocols = engine.getEnabledProtocols(); + Set<String> set = new HashSet<>(); + for (String s : protocols) + { + if (s.equals("SSLv3") || s.equals("SSLv2Hello")) + { + HornetQServerLogger.LOGGER.disallowedProtocol(s); + continue; + } + set.add(s); + } + engine.setEnabledProtocols(set.toArray(new String[0])); + SslHandler handler = new SslHandler(engine); pipeline.addLast("ssl", handler); http://git-wip-us.apache.org/repos/asf/activemq-6/blob/36d86ffb/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java ---------------------------------------------------------------------- diff --git a/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java b/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java index 0399b4b..9a6b1a0 100644 --- a/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java +++ b/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java @@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger format = Message.Format.MESSAGE_FORMAT) void activateSharedStoreSlaveFailed(@Cause Throwable e); + @LogMessage(level = Logger.Level.WARN) + @Message(id = 222190, + value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.", + format = Message.Format.MESSAGE_FORMAT) + void disallowedProtocol(String protocol); + @LogMessage(level = Logger.Level.ERROR) @Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT) void initializationError(@Cause Throwable e); http://git-wip-us.apache.org/repos/asf/activemq-6/blob/36d86ffb/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java index 8144447..7a7e903 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java @@ -251,6 +251,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase } @Test + // http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html + public void testPOODLE() throws Exception + { + createCustomSslServer(null, "SSLv3"); + tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true); + tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType); + tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE); + tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD); + tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3"); + + ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc)); + try + { + createSessionFactory(locator); + Assert.fail(); + } + catch (HornetQNotConnectedException e) + { + Assert.assertTrue(true); + } + } + + @Test public void testOneWaySSLWithGoodClientCipherSuite() throws Exception { createCustomSslServer();