ACTIVEMQ6-36 Disallow SSLv3 for POODLE

This commit is contained in:
jbertram 2014-11-17 13:37:51 -06:00
parent 9045ddd7bb
commit 36d86ffb00
3 changed files with 46 additions and 0 deletions

View File

@ -19,8 +19,10 @@ import java.net.InetSocketAddress;
import java.net.SocketAddress; import java.net.SocketAddress;
import java.security.AccessController; import java.security.AccessController;
import java.security.PrivilegedAction; import java.security.PrivilegedAction;
import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
import java.util.Map; import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap; import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.ScheduledExecutorService;
@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor
engine.setEnabledProtocols(originalProtocols); engine.setEnabledProtocols(originalProtocols);
} }
// Strip "SSLv3" from the current enabled protocols to address the POODLE exploit.
// This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
String[] protocols = engine.getEnabledProtocols();
Set<String> set = new HashSet<>();
for (String s : protocols)
{
if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
{
HornetQServerLogger.LOGGER.disallowedProtocol(s);
continue;
}
set.add(s);
}
engine.setEnabledProtocols(set.toArray(new String[0]));
SslHandler handler = new SslHandler(engine); SslHandler handler = new SslHandler(engine);
pipeline.addLast("ssl", handler); pipeline.addLast("ssl", handler);

View File

@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
format = Message.Format.MESSAGE_FORMAT) format = Message.Format.MESSAGE_FORMAT)
void activateSharedStoreSlaveFailed(@Cause Throwable e); void activateSharedStoreSlaveFailed(@Cause Throwable e);
@LogMessage(level = Logger.Level.WARN)
@Message(id = 222190,
value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.",
format = Message.Format.MESSAGE_FORMAT)
void disallowedProtocol(String protocol);
@LogMessage(level = Logger.Level.ERROR) @LogMessage(level = Logger.Level.ERROR)
@Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT) @Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
void initializationError(@Cause Throwable e); void initializationError(@Cause Throwable e);

View File

@ -250,6 +250,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase
} }
} }
@Test
// http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
public void testPOODLE() throws Exception
{
createCustomSslServer(null, "SSLv3");
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
try
{
createSessionFactory(locator);
Assert.fail();
}
catch (HornetQNotConnectedException e)
{
Assert.assertTrue(true);
}
}
@Test @Test
public void testOneWaySSLWithGoodClientCipherSuite() throws Exception public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
{ {