Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-4582

Specifying invalid ciphersuite in SSL transport causes all available ciphersuites to be enabled

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.8.0
    • 5.9.0
    • Broker
    • Linux 3.2.0-41-generic x86_64

    Description

      If you use an invalid cipher suite in the parameter "transport.enabledCipherSuites" on an SSL transport connector, the broker will start with all ciphers enabled.

      For example, use this transport connector:

      <transportConnectors>
      <transportConnector name="ssl" uri="ssl://localhost:61717?needClientAuth=true&transport.enabledCipherSuites=foobar"/>
      </transportConnectors>

      This is an attempt to enable the ciphersuite "foobar". The broker starts, and, in my environment I end up with 26 cipher suites enabled, 10 of which are generally considered weak.

      Using the debugger I tracked this down to the method org.apache.activemq.util.IntrospectionSupport.setProperty. It uses reflection to invoke SSLServerSocket.setEnabledCipherSuites. That method throws an IllegalArgumentException if the specified ciphersuite is enabled. IntrospectionSupport.setProperty catches the exception and returns false.

      I believe that this code should not be ignoring exceptions like this. This is a major security flaw: if a user is attempting to lock down ActiveMQ to a specific strong cipher suite, but makes a typo, the broker starts with with the ability to use weaker cipher suites.

      Attachments

        1. AMQ-4582.patch
          6 kB
          Kevin Anthony Earls

        Issue Links

          Activity

            People

              tabish Timothy A. Bish
              rhuffman Robert Huffman
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: