ActiveMQ
  1. ActiveMQ
  2. AMQ-3508

SSL and TLS - Support list of included and excluded protocols

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.6.0
    • Fix Version/s: 5.6.0
    • Component/s: Connector, Transport
    • Labels:
      None
    • Environment:

      JDK7, RHEL5

      Description

      On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
      1.0 (and below) was demonstrated that allows an attacker to decrypt
      communications between 2 parties. The demonstration was against a
      PayPal Authentication cookie, which took 10 minutes to decipher with
      the aid of a packet sniffer and some hostile javascript running in the
      browser.

      http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

      While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
      commonly available in browsers and JVMs. Java 6 currently only
      supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2. It has not
      yet been announced if a TLS 1.1 provider will be made available for
      Java 6. As of recently, the browser support for TLS can be seen at
      http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations.
      Google Chrome has already announced imminent support for 1.2 and it
      is expected that the other browsers will follow shortly (see
      http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/).

      Jetty when used with it's default configuration of SSL will use the
      highest common version of TLS available that is shared by the browsers
      and JVM. Thus if jetty is running on java 7 today, it will
      automatically use TLS 1.1 or 1.2 if it is available in the browser.
      However there is currently no mechanism to disable protocol versions
      within Jetty (unless they are disabled in the JVM).

      Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
      included and excluded protocols in the configuration of the
      SslContextFactory class used to configure SSL clients and server
      connectors. This will allow TLS 1.0 to be excluded once clients that
      support it are widely deployed. A stable release of 7.5.2 will be
      available next week.

      We strongly recommend that you upgrade your systems (browser and
      JVMs) to support TLS 1.1 or later. For Jetty servers, this currently
      means running on java 7. Until TLS 1.1 is widely available in
      browsers, it is recommended that you evaluate the risks of continuing
      to provide your services over SSL and TLS.

      regards
      _______________________________________________
      jetty-announce mailing list
      jetty-announce@eclipse.org
      https://dev.eclipse.org/mailman/listinfo/jetty-announce

      1. AMQ-3508.txt
        30 kB
        Timothy Bish

        Issue Links

          Activity

          Hide
          Gary Tully added a comment -

          lets upgrade for 5.6

          Show
          Gary Tully added a comment - lets upgrade for 5.6
          Hide
          Timothy Bish added a comment -

          It appears that the 7.5.2 API breaks the activemq-optional code pretty good, will need some work to upgrade to the newer API.

          Show
          Timothy Bish added a comment - It appears that the 7.5.2 API breaks the activemq-optional code pretty good, will need some work to upgrade to the newer API.
          Hide
          Timothy Bish added a comment -

          Patch to the code in activemq-optional for upgrade to Jetty v7.5.2 The update breaks the admin console though. Probably needs updates to the configuration files.

          Show
          Timothy Bish added a comment - Patch to the code in activemq-optional for upgrade to Jetty v7.5.2 The update breaks the admin console though. Probably needs updates to the configuration files.
          Hide
          Timothy Bish added a comment -

          Updated to the latest version that doesn't break the Web Console 7.5.1.

          Show
          Timothy Bish added a comment - Updated to the latest version that doesn't break the Web Console 7.5.1.
          Hide
          Timothy Bish added a comment -

          Jetty is now at v7.6.1

          Show
          Timothy Bish added a comment - Jetty is now at v7.6.1

            People

            • Assignee:
              Gary Tully
              Reporter:
              Fengming Lou
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development