ACTIVEMQ6-36 Disallow SSLv3 for POODLE
This commit is contained in:
parent
9045ddd7bb
commit
36d86ffb00
|
@ -19,8 +19,10 @@ import java.net.InetSocketAddress;
|
||||||
import java.net.SocketAddress;
|
import java.net.SocketAddress;
|
||||||
import java.security.AccessController;
|
import java.security.AccessController;
|
||||||
import java.security.PrivilegedAction;
|
import java.security.PrivilegedAction;
|
||||||
|
import java.util.HashSet;
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
import java.util.concurrent.ConcurrentHashMap;
|
import java.util.concurrent.ConcurrentHashMap;
|
||||||
import java.util.concurrent.ConcurrentMap;
|
import java.util.concurrent.ConcurrentMap;
|
||||||
import java.util.concurrent.ScheduledExecutorService;
|
import java.util.concurrent.ScheduledExecutorService;
|
||||||
|
@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor
|
||||||
engine.setEnabledProtocols(originalProtocols);
|
engine.setEnabledProtocols(originalProtocols);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Strip "SSLv3" from the current enabled protocols to address the POODLE exploit.
|
||||||
|
// This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
|
||||||
|
String[] protocols = engine.getEnabledProtocols();
|
||||||
|
Set<String> set = new HashSet<>();
|
||||||
|
for (String s : protocols)
|
||||||
|
{
|
||||||
|
if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
|
||||||
|
{
|
||||||
|
HornetQServerLogger.LOGGER.disallowedProtocol(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
set.add(s);
|
||||||
|
}
|
||||||
|
engine.setEnabledProtocols(set.toArray(new String[0]));
|
||||||
|
|
||||||
SslHandler handler = new SslHandler(engine);
|
SslHandler handler = new SslHandler(engine);
|
||||||
|
|
||||||
pipeline.addLast("ssl", handler);
|
pipeline.addLast("ssl", handler);
|
||||||
|
|
|
@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
|
||||||
format = Message.Format.MESSAGE_FORMAT)
|
format = Message.Format.MESSAGE_FORMAT)
|
||||||
void activateSharedStoreSlaveFailed(@Cause Throwable e);
|
void activateSharedStoreSlaveFailed(@Cause Throwable e);
|
||||||
|
|
||||||
|
@LogMessage(level = Logger.Level.WARN)
|
||||||
|
@Message(id = 222190,
|
||||||
|
value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.",
|
||||||
|
format = Message.Format.MESSAGE_FORMAT)
|
||||||
|
void disallowedProtocol(String protocol);
|
||||||
|
|
||||||
@LogMessage(level = Logger.Level.ERROR)
|
@LogMessage(level = Logger.Level.ERROR)
|
||||||
@Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
|
@Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
|
||||||
void initializationError(@Cause Throwable e);
|
void initializationError(@Cause Throwable e);
|
||||||
|
|
|
@ -250,6 +250,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
// http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
|
||||||
|
public void testPOODLE() throws Exception
|
||||||
|
{
|
||||||
|
createCustomSslServer(null, "SSLv3");
|
||||||
|
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
|
||||||
|
tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
|
||||||
|
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
|
||||||
|
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
|
||||||
|
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
|
||||||
|
|
||||||
|
ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
|
||||||
|
try
|
||||||
|
{
|
||||||
|
createSessionFactory(locator);
|
||||||
|
Assert.fail();
|
||||||
|
}
|
||||||
|
catch (HornetQNotConnectedException e)
|
||||||
|
{
|
||||||
|
Assert.assertTrue(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
|
public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue