[jboss-jira] [JBoss JIRA] (WFLY-11200) Messaging-activemq integration code alters the JMS client's enabled protocols via TransportConfiguration
James Perkins (Jira)
issues at jboss.org
Tue Dec 11 12:50:01 EST 2018
[ https://issues.jboss.org/browse/WFLY-11200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Perkins updated WFLY-11200:
---------------------------------
Fix Version/s: 15.0.0.Final
> Messaging-activemq integration code alters the JMS client's enabled protocols via TransportConfiguration
> --------------------------------------------------------------------------------------------------------
>
> Key: WFLY-11200
> URL: https://issues.jboss.org/browse/WFLY-11200
> Project: WildFly
> Issue Type: Bug
> Components: JMS, Security
> Reporter: Petr Kremensky
> Assignee: Jeff Mesnil
> Priority: Major
> Fix For: 15.0.0.Beta1, 15.0.0.Final
>
>
> Integration code of messaging-activemq sets enabledProtocols=\["TLSv1,TLSv1.1,TLSv1.2"\] property to NettyConnector lookedup by the client. This behaviour was introduced by WFLY-9096 (https://github.com/wildfly/wildfly/pull/11673/files).
> https://github.com/wildfly/wildfly/pull/11673/files#diff-64b7f8a3e5eb2234f8bc8cbdebd01799R373
> {code}
> parameters.putIfAbsent(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "TLSv1,TLSv1.1,TLSv1.2");
> {code}
> https://github.com/apache/activemq-artemis/blob/2.6.3/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java#L355
> {code}
> enabledProtocols = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, TransportConstants.DEFAULT_ENABLED_PROTOCOLS, configuration);
> {code}
> NettyConnector prefers the enabled protocols obtained from integration code to ones defined on client side - possibly forces client to use less secured protocol than client wants.
> https://github.com/apache/activemq-artemis/blob/2.6.3/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java#L550
> {code}
> ...
> String[] originalProtocols = engine.getEnabledProtocols();
> ...
> if (enabledProtocols != null) { // true with WFLY-9096
> try {
> engine.setEnabledProtocols(SSLSupport.parseCommaSeparatedListIntoArray(enabledProtocols));
> } catch (IllegalArgumentException e) {
> ActiveMQClientLogger.LOGGER.invalidProtocol(SSLSupport.parseArrayIntoCommandSeparatedList(engine.getSupportedProtocols()));
> throw e;
> }
> } else {
> engine.setEnabledProtocols(originalProtocols);
> }
> ...
> {code}
> *Reproduce*
> {code:bash}
> WORKSPACE=`pwd`
> WILDFLY=${WORKSPACE}/wildfly
> TESTSUITE=${WORKSPACE}/eap-tests-hornetq
> SERVERS=${WORKSPACE}/servers
> export JBOSS_HOME_1=${SERVERS}/server1/jboss-eap
> export JBOSS_HOME_2=${SERVERS}/server2/jboss-eap
> export JBOSS_HOME_3=${SERVERS}/server3/jboss-eap
> export JBOSS_HOME_4=${SERVERS}/server4/jboss-eap
> # setup testing server
> cd $WORKSPACE
> git clone git at github.com:wildfly/wildfly.git
> cd $WILDFLY
> mvn clean install -DskipTests -pl dist -am
> cd dist/target
> zip -r /tmp/wildfly.zip wildfly-*-SNAPSHOT
> # setup testsuite
> cd $WORKSPACE
> git clone git://git.app.eng.bos.redhat.com/jbossqe/eap-tests-hornetq.git
> mkdir $SERVERS
> cd $SERVERS
> groovy -DEAP_ZIP_URL=file:///tmp/wildfly.zip ${TESTSUITE}/scripts/PrepareServers7.groovy
> # run the reproducer
> cd $TESTSUITE/jboss-hornetq-testsuite
> mvn clean test -Dtest=ElytronSslAuthenticationTestCase#testOneWaySslOverSSLv3Jms -pl tests-eap7 -am
> {code}
> *Test details:*
> *server* supports TLSv1.1
> {code:xml}
> <server-ssl-contexts>
> <server-ssl-context name="server-ssl-context" protocols="TLSv1.1" need-client-auth="false" key-manager="key-manager-name_server-ssl-context"/>
> </server-ssl-contexts>
> {code}
> *client* is forced (byteman rule) to use the SSLv3
> *Actual:*
> Connection is made.
> *Expected:*
> javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list