fix for: https://issues.apache.org/jira/browse/AMQ-4582

treat bad enabledCipherSuites option as non-recoverable. git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1512017 13f79535-47bb-0310-9956-ffa450edef68
2013-08-08 20:26:23 +00:00 · 2013-08-08 20:26:23 +00:00 · 1773e2c11c
parent 42b4e0c810
commit 1773e2c11c
2 changed files with 113 additions and 0 deletions
--- a/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
+++ b/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
@ -33,6 +33,7 @@ import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;

 import javax.net.ServerSocketFactory;
+import javax.net.ssl.SSLServerSocket;

 import org.apache.activemq.Service;
 import org.apache.activemq.ThreadPriorities;
@ -151,6 +152,27 @@ public class TcpTransportServer extends TransportServerThreadSupport implements
    private void configureServerSocket(ServerSocket socket) throws SocketException {
        socket.setSoTimeout(2000);
        if (transportOptions != null) {
+
+            // If the enabledCipherSuites option is invalid we don't want to ignore it as the call
+            // to SSLServerSocket to configure it has a side effect on the socket rendering it
+            // useless as all suites are enabled many of which are considered as insecure.  We
+            // instead trap that option here and throw an exception.  We should really consider
+            // all invalid options as breaking and not start the transport but the current design
+            // doesn't really allow for this.
+            //
+            //  see: https://issues.apache.org/jira/browse/AMQ-4582
+            //
+            if (socket instanceof SSLServerSocket) {
+                if (transportOptions.containsKey("enabledCipherSuites")) {
+                    Object cipherSuites = transportOptions.remove("enabledCipherSuites");
+
+                    if (!IntrospectionSupport.setProperty(socket, "enabledCipherSuites", cipherSuites)) {
+                        throw new SocketException(String.format(
+                            "Invalid transport options {enabledCipherSuites=%s}", cipherSuites));
+                    }
+                }
+            }
+
            IntrospectionSupport.setProperties(socket, transportOptions);
        }
    }
--- a/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java
@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.bugs;
+
+import java.io.IOException;
+
+import javax.jms.Connection;
+import javax.jms.Session;
+
+import org.apache.activemq.broker.BrokerService;
+import org.apache.activemq.util.ConsumerThread;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AMQ4582Test {
+
+    private static final transient Logger LOG = LoggerFactory.getLogger(AMQ4582Test.class);
+
+    BrokerService broker;
+    Connection connection;
+    Session session;
+
+    public static final String KEYSTORE_TYPE = "jks";
+    public static final String PASSWORD = "password";
+    public static final String SERVER_KEYSTORE = "src/test/resources/server.keystore";
+    public static final String TRUST_KEYSTORE = "src/test/resources/client.keystore";
+
+    public static final int PRODUCER_COUNT = 10;
+    public static final int CONSUMER_COUNT = 10;
+    public static final int MESSAGE_COUNT = 1000;
+
+    final ConsumerThread[] consumers = new ConsumerThread[CONSUMER_COUNT];
+
+    @Before
+    public void setUp() throws Exception {
+        System.setProperty("javax.net.ssl.trustStore", TRUST_KEYSTORE);
+        System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD);
+        System.setProperty("javax.net.ssl.trustStoreType", KEYSTORE_TYPE);
+        System.setProperty("javax.net.ssl.keyStore", SERVER_KEYSTORE);
+        System.setProperty("javax.net.ssl.keyStoreType", KEYSTORE_TYPE);
+        System.setProperty("javax.net.ssl.keyStorePassword", PASSWORD);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        if (broker != null) {
+            try {
+                broker.stop();
+            } catch(Exception e) {}
+        }
+    }
+
+    @Rule public ExpectedException thrown = ExpectedException.none();
+    @Test
+    public void simpleTest() throws Exception {
+        thrown.expect(IOException.class);
+        thrown.expectMessage("enabledCipherSuites=BADSUITE");
+
+        broker = new BrokerService();
+        broker.setPersistent(false);
+        broker.setUseJmx(false);
+        try {
+            broker.addConnector(
+                "ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=BADSUITE");
+            broker.start();
+            broker.waitUntilStarted();
+        } catch (Exception e) {
+            LOG.info("BrokerService threw:", e);
+            throw e;
+        }
+    }
+}