ACTIVEMQ6-36 Disallow SSLv3 for POODLE
This commit is contained in:
parent
9045ddd7bb
commit
36d86ffb00
|
@ -19,8 +19,10 @@ import java.net.InetSocketAddress;
|
|||
import java.net.SocketAddress;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.HashSet;
|
||||
import java.util.Iterator;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.ConcurrentHashMap;
|
||||
import java.util.concurrent.ConcurrentMap;
|
||||
import java.util.concurrent.ScheduledExecutorService;
|
||||
|
@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor
|
|||
engine.setEnabledProtocols(originalProtocols);
|
||||
}
|
||||
|
||||
// Strip "SSLv3" from the current enabled protocols to address the POODLE exploit.
|
||||
// This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
|
||||
String[] protocols = engine.getEnabledProtocols();
|
||||
Set<String> set = new HashSet<>();
|
||||
for (String s : protocols)
|
||||
{
|
||||
if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
|
||||
{
|
||||
HornetQServerLogger.LOGGER.disallowedProtocol(s);
|
||||
continue;
|
||||
}
|
||||
set.add(s);
|
||||
}
|
||||
engine.setEnabledProtocols(set.toArray(new String[0]));
|
||||
|
||||
SslHandler handler = new SslHandler(engine);
|
||||
|
||||
pipeline.addLast("ssl", handler);
|
||||
|
|
|
@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
|
|||
format = Message.Format.MESSAGE_FORMAT)
|
||||
void activateSharedStoreSlaveFailed(@Cause Throwable e);
|
||||
|
||||
@LogMessage(level = Logger.Level.WARN)
|
||||
@Message(id = 222190,
|
||||
value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.",
|
||||
format = Message.Format.MESSAGE_FORMAT)
|
||||
void disallowedProtocol(String protocol);
|
||||
|
||||
@LogMessage(level = Logger.Level.ERROR)
|
||||
@Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
|
||||
void initializationError(@Cause Throwable e);
|
||||
|
|
|
@ -250,6 +250,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
// http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
|
||||
public void testPOODLE() throws Exception
|
||||
{
|
||||
createCustomSslServer(null, "SSLv3");
|
||||
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
|
||||
tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
|
||||
tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
|
||||
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
|
||||
tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
|
||||
|
||||
ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
|
||||
try
|
||||
{
|
||||
createSessionFactory(locator);
|
||||
Assert.fail();
|
||||
}
|
||||
catch (HornetQNotConnectedException e)
|
||||
{
|
||||
Assert.assertTrue(true);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue