Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Description
Integration code of messaging-activemq sets enabledProtocols=["TLSv1,TLSv1.1,TLSv1.2"] property to NettyConnector lookedup by the client. This behaviour was introduced by WFLY-9096 (https://github.com/wildfly/wildfly/pull/11673/files).
https://github.com/wildfly/wildfly/pull/11673/files#diff-64b7f8a3e5eb2234f8bc8cbdebd01799R373
parameters.putIfAbsent(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "TLSv1,TLSv1.1,TLSv1.2");
enabledProtocols = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, TransportConstants.DEFAULT_ENABLED_PROTOCOLS, configuration);
NettyConnector prefers the enabled protocols obtained from integration code to ones defined on client side - possibly forces client to use less secured protocol than client wants.
https://github.com/apache/activemq-artemis/blob/2.6.3/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java#L550
... String[] originalProtocols = engine.getEnabledProtocols(); ... if (enabledProtocols != null) { // true with WFLY-9096 try { engine.setEnabledProtocols(SSLSupport.parseCommaSeparatedListIntoArray(enabledProtocols)); } catch (IllegalArgumentException e) { ActiveMQClientLogger.LOGGER.invalidProtocol(SSLSupport.parseArrayIntoCommandSeparatedList(engine.getSupportedProtocols())); throw e; } } else { engine.setEnabledProtocols(originalProtocols); } ...
Reproduce
WORKSPACE=`pwd`
WILDFLY=${WORKSPACE}/wildfly
TESTSUITE=${WORKSPACE}/eap-tests-hornetq
SERVERS=${WORKSPACE}/servers
export JBOSS_HOME_1=${SERVERS}/server1/jboss-eap
export JBOSS_HOME_2=${SERVERS}/server2/jboss-eap
export JBOSS_HOME_3=${SERVERS}/server3/jboss-eap
export JBOSS_HOME_4=${SERVERS}/server4/jboss-eap
# setup testing server
cd $WORKSPACE
git clone git@github.com:wildfly/wildfly.git
cd $WILDFLY
mvn clean install -DskipTests -pl dist -am
cd dist/target
zip -r /tmp/wildfly.zip wildfly-*-SNAPSHOT
# setup testsuite
cd $WORKSPACE
git clone git://git.app.eng.bos.redhat.com/jbossqe/eap-tests-hornetq.git
mkdir $SERVERS
cd $SERVERS
groovy -DEAP_ZIP_URL=file:///tmp/wildfly.zip ${TESTSUITE}/scripts/PrepareServers7.groovy
# run the reproducer
cd $TESTSUITE/jboss-hornetq-testsuite
mvn clean test -Dtest=ElytronSslAuthenticationTestCase#testOneWaySslOverSSLv3Jms -pl tests-eap7 -am
Test details:
server supports TLSv1.1
<server-ssl-contexts> <server-ssl-context name="server-ssl-context" protocols="TLSv1.1" need-client-auth="false" key-manager="key-manager-name_server-ssl-context"/> </server-ssl-contexts>
client is forced (byteman rule) to use the SSLv3
Actual:
Connection is made.
Expected:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Attachments
Issue Links
- incorporates
-
-
- Verified
-
- is caused by
-
-
- Closed
-
