From 36d86ffb00f6f152ed6daf7cf16f6f1556573ba7 Mon Sep 17 00:00:00 2001
From: jbertram <jbertram@redhat.com>
Date: Mon, 17 Nov 2014 13:37:51 -0600
Subject: [PATCH] ACTIVEMQ6-36 Disallow SSLv3 for POODLE

---
 .../remoting/impl/netty/NettyAcceptor.java    | 17 ++++++++++++++
 .../core/server/HornetQServerLogger.java      |  6 +++++
 .../ssl/CoreClientOverOneWaySSLTest.java      | 23 +++++++++++++++++++
 3 files changed, 46 insertions(+)

diff --git a/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java b/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
index 661d6a71ab..614e19ad31 100644
--- a/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
@@ -19,8 +19,10 @@ import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ScheduledExecutorService;
@@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor
                   engine.setEnabledProtocols(originalProtocols);
                }
 
+               // Strip "SSLv3" from the current enabled protocols to address the POODLE exploit.
+               // This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
+               String[] protocols = engine.getEnabledProtocols();
+               Set<String> set = new HashSet<>();
+               for (String s : protocols)
+               {
+                  if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
+                  {
+                     HornetQServerLogger.LOGGER.disallowedProtocol(s);
+                     continue;
+                  }
+                  set.add(s);
+               }
+               engine.setEnabledProtocols(set.toArray(new String[0]));
+
                SslHandler handler = new SslHandler(engine);
 
                pipeline.addLast("ssl", handler);
diff --git a/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java b/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
index 0399b4b12c..9a6b1a05df 100644
--- a/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
@@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
          format = Message.Format.MESSAGE_FORMAT)
    void activateSharedStoreSlaveFailed(@Cause Throwable e);
 
+   @LogMessage(level = Logger.Level.WARN)
+   @Message(id = 222190,
+         value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.",
+         format = Message.Format.MESSAGE_FORMAT)
+   void disallowedProtocol(String protocol);
+
    @LogMessage(level = Logger.Level.ERROR)
    @Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
    void initializationError(@Cause Throwable e);
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
index 8144447dc7..7a7e903723 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
@@ -250,6 +250,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase
       }
    }
 
+   @Test
+   // http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
+   public void testPOODLE() throws Exception
+   {
+      createCustomSslServer(null, "SSLv3");
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
+
+      ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
+      try
+      {
+         createSessionFactory(locator);
+         Assert.fail();
+      }
+      catch (HornetQNotConnectedException e)
+      {
+         Assert.assertTrue(true);
+      }
+   }
+
    @Test
    public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
    {