Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-11200

Messaging-activemq integration code alters the JMS client's enabled protocols via TransportConfiguration

XMLWordPrintable

      Integration code of messaging-activemq sets enabledProtocols=["TLSv1,TLSv1.1,TLSv1.2"] property to NettyConnector lookedup by the client. This behaviour was introduced by WFLY-9096 (https://github.com/wildfly/wildfly/pull/11673/files).

      https://github.com/wildfly/wildfly/pull/11673/files#diff-64b7f8a3e5eb2234f8bc8cbdebd01799R373

      parameters.putIfAbsent(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "TLSv1,TLSv1.1,TLSv1.2");

      https://github.com/apache/activemq-artemis/blob/2.6.3/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java#L355

      enabledProtocols = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, TransportConstants.DEFAULT_ENABLED_PROTOCOLS, configuration);

      NettyConnector prefers the enabled protocols obtained from integration code to ones defined on client side - possibly forces client to use less secured protocol than client wants.
      https://github.com/apache/activemq-artemis/blob/2.6.3/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java#L550

      ...
String[] originalProtocols = engine.getEnabledProtocols();
...
if (enabledProtocols != null) { // true with WFLY-9096
   try {
      engine.setEnabledProtocols(SSLSupport.parseCommaSeparatedListIntoArray(enabledProtocols));
   } catch (IllegalArgumentException e) {
      ActiveMQClientLogger.LOGGER.invalidProtocol(SSLSupport.parseArrayIntoCommandSeparatedList(engine.getSupportedProtocols()));
      throw e;
   }
} else {
   engine.setEnabledProtocols(originalProtocols);
}
...

      Reproduce

      WORKSPACE=`pwd`
WILDFLY=${WORKSPACE}/wildfly
TESTSUITE=${WORKSPACE}/eap-tests-hornetq
SERVERS=${WORKSPACE}/servers
export JBOSS_HOME_1=${SERVERS}/server1/jboss-eap
export JBOSS_HOME_2=${SERVERS}/server2/jboss-eap
export JBOSS_HOME_3=${SERVERS}/server3/jboss-eap
export JBOSS_HOME_4=${SERVERS}/server4/jboss-eap

# setup testing server
cd $WORKSPACE
git clone git@github.com:wildfly/wildfly.git
cd $WILDFLY
mvn clean install -DskipTests -pl dist -am
cd dist/target
zip -r /tmp/wildfly.zip wildfly-*-SNAPSHOT

# setup testsuite
cd $WORKSPACE
git clone git://git.app.eng.bos.redhat.com/jbossqe/eap-tests-hornetq.git 
mkdir $SERVERS
cd $SERVERS
groovy -DEAP_ZIP_URL=file:///tmp/wildfly.zip ${TESTSUITE}/scripts/PrepareServers7.groovy 

# run the reproducer
cd $TESTSUITE/jboss-hornetq-testsuite
mvn clean test -Dtest=ElytronSslAuthenticationTestCase#testOneWaySslOverSSLv3Jms -pl tests-eap7 -am

      Test details:
      server supports TLSv1.1

      <server-ssl-contexts>
    <server-ssl-context name="server-ssl-context" protocols="TLSv1.1" need-client-auth="false" key-manager="key-manager-name_server-ssl-context"/>
</server-ssl-contexts>

      client is forced (byteman rule) to use the SSLv3

      Actual:
      Connection is made.

      Expected:
      javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

              jmesnil1@redhat.com Jeff Mesnil
              pkremens@redhat.com Petr Kremensky (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: