ACTIVEMQ6-36 Disallow SSLv3 for POODLE

activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java

@@ -19,8 +19,10 @@ import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ScheduledExecutorService;
@@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor
                   engine.setEnabledProtocols(originalProtocols);
                }
 
+               // Strip "SSLv3" from the current enabled protocols to address the POODLE exploit.
+               // This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
+               String[] protocols = engine.getEnabledProtocols();
+               Set<String> set = new HashSet<>();
+               for (String s : protocols)
+               {
+                  if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
+                  {
+                     HornetQServerLogger.LOGGER.disallowedProtocol(s);
+                     continue;
+                  }
+                  set.add(s);
+               }
+               engine.setEnabledProtocols(set.toArray(new String[0]));
+
                SslHandler handler = new SslHandler(engine);
 
                pipeline.addLast("ssl", handler);

activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java

@@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
          format = Message.Format.MESSAGE_FORMAT)
    void activateSharedStoreSlaveFailed(@Cause Throwable e);
 
+   @LogMessage(level = Logger.Level.WARN)
+   @Message(id = 222190,
+         value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.",
+         format = Message.Format.MESSAGE_FORMAT)
+   void disallowedProtocol(String protocol);
+
    @LogMessage(level = Logger.Level.ERROR)
    @Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
    void initializationError(@Cause Throwable e);

tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java

@@ -250,6 +250,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase
       }
    }
 
+   @Test
+   // http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
+   public void testPOODLE() throws Exception
+   {
+      createCustomSslServer(null, "SSLv3");
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
+
+      ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
+      try
+      {
+         createSessionFactory(locator);
+         Assert.fail();
+      }
+      catch (HornetQNotConnectedException e)
+      {
+         Assert.assertTrue(true);
+      }
+   }
+
    @Test
    public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
    {