HORNETQ-1444 Disallow SSLv3 for POODLE

GEBIT · Nov 11, 2014 · e9825f2 · e9825f2
1 parent 549aabd
commit e9825f2
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/hornetq-server/src/main/java/org/hornetq/core/remoting/impl/netty/NettyAcceptor.java b/hornetq-server/src/main/java/org/hornetq/core/remoting/impl/netty/NettyAcceptor.java
@@ -19,8 +19,10 @@
 import java.net.SocketAddress;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ScheduledExecutorService;
@@ -394,6 +396,21 @@ public void initChannel(Channel channel) throws Exception
                   engine.setEnabledProtocols(originalProtocols);
                }
 
+               // Strip "SSLv3" from the current enabled protocols to address the POODLE exploit.
+               // This recommendation came from http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
+               String[] protocols = engine.getEnabledProtocols();
+               Set<String> set = new HashSet<>();
+               for (String s : protocols)
+               {
+                  if (s.equals("SSLv3") || s.equals("SSLv2Hello"))
+                  {
+                     HornetQServerLogger.LOGGER.disallowedProtocol(s);
+                     continue;
+                  }
+                  set.add(s);
+               }
+               engine.setEnabledProtocols(set.toArray(new String[0]));
+
                SslHandler handler = new SslHandler(engine);
 
                pipeline.addLast("ssl", handler);

diff --git a/hornetq-server/src/main/java/org/hornetq/core/server/HornetQServerLogger.java b/hornetq-server/src/main/java/org/hornetq/core/server/HornetQServerLogger.java
@@ -1106,6 +1106,12 @@ public interface HornetQServerLogger extends BasicLogger
          format = Message.Format.MESSAGE_FORMAT)
    void activateSharedStoreSlaveFailed(@Cause Throwable e);
 
+   @LogMessage(level = Logger.Level.WARN)
+   @Message(id = 222190,
+         value = "Disallowing use of vulnerable protocol: {0}. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.",
+         format = Message.Format.MESSAGE_FORMAT)
+   void disallowedProtocol(String protocol);
+
    @LogMessage(level = Logger.Level.ERROR)
    @Message(id = 224000, value = "Failure in initialisation", format = Message.Format.MESSAGE_FORMAT)
    void initializationError(@Cause Throwable e);

diff --git a/...on-tests/src/test/java/org/hornetq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java b/...on-tests/src/test/java/org/hornetq/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
@@ -250,6 +250,29 @@ public void testOneWaySSLWithMismatchedProtocols() throws Exception
       }
    }
 
+   @Test
+   // http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
+   public void testPOODLE() throws Exception
+   {
+      createCustomSslServer(null, "SSLv3");
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeType);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      tc.getParams().put(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, "SSLv3");
+
+      ServerLocator locator = addServerLocator(HornetQClient.createServerLocatorWithoutHA(tc));
+      try
+      {
+         createSessionFactory(locator);
+         Assert.fail();
+      }
+      catch (HornetQNotConnectedException e)
+      {
+         Assert.assertTrue(true);
+      }
+   }
+
    @Test
    public void testOneWaySSLWithGoodClientCipherSuite() throws Exception
    {