Merge PR #12 - fixes from apache

2014-11-17 14:57:57 -05:00 · 2014-11-17 14:57:57 -05:00 · fdf1a1a262
parent 9045ddd7bb 2d9125a7c6
commit fdf1a1a262
5 changed files with 57 additions and 3 deletions
--- a/activemq-server/src/main/java/org/apache/activemq/core/protocol/core/ServerSessionPacketHandler.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/protocol/core/ServerSessionPacketHandler.java
@ -556,7 +556,14 @@ public class ServerSessionPacketHandler implements ChannelHandler
            }
            else
            {
-               HornetQServerLogger.LOGGER.caughtException(e);
+               if (e.getType() == HornetQExceptionType.QUEUE_EXISTS)
+               {
+                  HornetQServerLogger.LOGGER.debug("Caught exception", e);
+               }
+               else
+               {
+                  HornetQServerLogger.LOGGER.caughtException(e);
+               }
            }
         }
         catch (Throwable t)
--- a/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/remoting/impl/netty/NettyAcceptor.java
@ -19,8 +19,10 @@ import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ScheduledExecutorService;
@ -394,6 +396,21 @@ public class NettyAcceptor implements Acceptor
                  engine.setEnabledProtocols(originalProtocols);
               }

+               // Strip "SSLv3" from the current enabled protocols to address the POODLE exploit.
+               // This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
+               String[] protocols = engine.getEnabledProtocols();
+               Set<String> set = new HashSet<>();
+               for (String s : protocols)
+               {
+                  if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
+                  {
+                     HornetQServerLogger.LOGGER.disallowedProtocol(s);
+                     continue;
+                  }
+                  set.add(s);
+               }
+               engine.setEnabledProtocols(set.toArray(new String[0]));
+
               SslHandler handler = new SslHandler(engine);

               pipeline.addLast("ssl", handler);
--- a/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/server/HornetQServerLogger.java
@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
         format = Message.Format.MESSAGE_FORMAT)
   void activateSharedStoreSlaveFailed(@Cause Throwable e);

+   @LogMessage(level = Logger.Level.WARN)
+   @Message(id = 222190,
+         value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.",
+         format = Message.Format.MESSAGE_FORMAT)
+   void disallowedProtocol(String protocol);
+
   @LogMessage(level = Logger.Level.ERROR)
   @Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
   void initializationError(@Cause Throwable e);
--- a/activemq-server/src/main/java/org/apache/activemq/core/server/group/impl/LocalGroupingHandler.java
+++ b/activemq-server/src/main/java/org/apache/activemq/core/server/group/impl/LocalGroupingHandler.java
@ -16,6 +16,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
@ -43,9 +44,9 @@ import org.apache.activemq.utils.TypedProperties;
 */
 public final class LocalGroupingHandler extends GroupHandlingAbstract
 {
-   private final ConcurrentHashMap<SimpleString, GroupBinding> map = new ConcurrentHashMap<SimpleString, GroupBinding>();
+   private final ConcurrentMap<SimpleString, GroupBinding> map = new ConcurrentHashMap<SimpleString, GroupBinding>();

-   private final ConcurrentHashMap<SimpleString, List<GroupBinding>> groupMap = new ConcurrentHashMap<SimpleString, List<GroupBinding>>();
+   private final ConcurrentMap<SimpleString, List<GroupBinding>> groupMap = new ConcurrentHashMap<SimpleString, List<GroupBinding>>();

   private final SimpleString name;

--- a/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
@ -250,6 +250,29 @@ public class CoreClientOverOneWaySSLTest extends ServiceTestBase
      }
   }

+   @Test
+   // http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
+   public void testPOODLE() throws Exception
+   {
+      createCustomSslServer(null, "SSLv3");
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
+
+      ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
+      try
+      {
+         createSessionFactory(locator);
+         Assert.fail();
+      }
+      catch (HornetQNotConnectedException e)
+      {
+         Assert.assertTrue(true);
+      }
+   }
+
   @Test
   public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
   {