Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-5407

TransportConnector nio+ssl ignores transport.enabledProtocols settings

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.11.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      Using ActiveMQ 5.9.0

      Description

      If you are using nio+ssl and try to set specific protocols (i.e. TLS and not SSLv3) for openwire and or stomp with ssl, NIO will ignore those settings and allow SSLv3 anyway.

      Setting specific transport protocols for activemq in my activemq.xml file:

      <transportConnectors>
      <transportConnector name="openwire" uri="nio+ssl://0.0.0.0:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2">
      </transportConnector>
      <transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61613?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2">
      </transportConnector>
      

      After changing this, I restarted activemq to ensure that those protocols were set correctly.

      With this setting in activemq.xml, activemq should not be able to do a successful SSLv3 handshake, however using s_connect with openssl, I am able to get activemq to respond with SSLv3:

      ###########
      # command run: openssl s_client -ssl3 -connect hostname.com:61616
      ###########
      
      ###########
      # this is what should be displayed
      ###########
      CONNECTED(00000003)
      139975367284552:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
      139975367284552:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 7 bytes and written 0 bytes
      ---
      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      SSL-Session:
          Protocol  : SSLv3
          Cipher    : 0000
          Session-ID:
          Session-ID-ctx:
          Master-Key:
          Key-Arg   : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1414003656
          Timeout   : 7200 (sec)
          Verify return code: 0 (ok)
      ---
      ###########
      # this is what is actually shown
      ###########
      
      
      CONNECTED(00000003)
      depth=0 CN = puppetmaster.local
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0 CN = puppetmaster.local
      verify error:num=27:certificate not trusted
      verify return:1
      depth=0 CN = puppetmaster.local
      verify error:num=21:unable to verify the first certificate
      verify return:1
      ---
      Certificate chain
       0 s:/CN=puppetmaster.local
         i:/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIFyzCCA7OgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMU8wTQYDVQQDDEZQdXBw
      ZXQgQ0EgZ2VuZXJhdGVkIG9uIHB1cHBldG1hc3Rlci5sb2NhbCBhdCAyMDE0LTEw
      LTIyIDExOjIwOjUyIC0wNzAwMB4XDTE0MTAyMTE4MjA1N1oXDTE5MTAyMTE4MjA1
      N1owHTEbMBkGA1UEAwwScHVwcGV0bWFzdGVyLmxvY2FsMIICIjANBgkqhkiG9w0B
      AQEFAAOCAg8AMIICCgKCAgEAyehXPWPLEuNkvvl0PHbz5cIbg4i7v51P0FzYfxR7
      sUt4455c4htfVpvEmWc1Ef5HD2MFViIAHorDMeGzNY2kAaX6xK2JVNhi8m8EJF7L
      C0LncN59p/DIc5XBl6fFGu8FGaEZ1wvRSOyitcsWCk5Gk8Oi8w56/xV7WVJJ1Lch
      PV62TZbKqDT8Ah/VcfIaCCWVCAB59/kIIGPJ8eI3aLdQv3f5h89ETiTr4yLtd1xm
      z25qqPV2JZIh1yAGBCjBGsE6L41eyckZy9Tl1JZaDTRfOiXK6SkaK8NTNNbuXeQT
      GkLusxpUL+FmisiH1ikazKZkyRuA0vMyQiakgUleVtACt4x+oLJ9askf5nx36wGu
      HcU5kaIuy2d8cLq2CD+FKLOdH10+KiMlxCtHny4pY15LIzs3F1wjqoeLwpcoQwoM
      57Qnef8UNV0sQGlp/HkSxnhDwXh5mrXGLkpi11glTx4CIs7Yz8s7yC1FCvw8/wAi
      3oDrmSAgidZXKd0MT+PT+4PTDHbC+p2TG6noX+GnrAjhKFKWyw31ue9pUMX/X2Az
      ExXiLFw2+zH+YsMNvHdTq4BM7G3s0tgQD3UQkWkDPk+0R3X14WDFTGUZ7oEb6Q+o
      /R+SE8W/rEwRw/O2tE6Xq063DyB4EYI+bVojpwtqOwyCNkbbC5aNnraUWfuXMWJB
      oqECAwEAAaOB4TCB3jA1BglghkgBhvhCAQ0EKFB1cHBldCBSdWJ5L09wZW5TU0wg
      SW50ZXJuYWwgQ2VydGlmaWNhdGUwJQYDVR0RBB4wHIIGcHVwcGV0ghJwdXBwZXRt
      YXN0ZXIubG9jYWwwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQGCCsGAQUF
      BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQSS72jRveOqBkQ
      TbLxTT2j5DWLPDAfBgNVHSMEGDAWgBRKtJ+dt+VxU6IwhHMYMAY78E7BOTANBgkq
      hkiG9w0BAQsFAAOCAgEATFMfxi1jFbnvTxiArZrL0RsA2mgBoU3p6gYhthmBWfzz
      7OscRacWx7CvBXGdKi3oc2uyNVIsazS30Yw5vcfoTqUAT9TdsDLMf10h9AYp15ut
      K1ebZUc9OIf00+zF/IT/+CFXM9eKzgBxs6fKUKCKngI+kDYRD+h5qmAhUCeAAR9B
      +3kb8UV064Nlmla+x4zOZBzb+VSMWKSet/Sv4pMHusX2+ICvy0cRwwKmaVTzQVDS
      uTNlElYUM0xRXb10tS95j4S7MSYkKu2VHLD5F5LB8KxjhCcorwa323DnCQkywJLQ
      3S1UUH3recjoLeD9Huj8+EL7uEvQdloRPbS/2cWFKkJgXYc5t7yC7Dp8qKNzTuNy
      COp68xunNPHh/JcS3wo4F/H7t2ve5IFnca4H/kSvLQWOQzmLfOrNhkn6ZJkqqGMo
      zf2LHVvJpfAUV6ezR1O0i70GR3YkNIijok14WMinDOXN98VLMp0j9zWm5aBF5Chg
      zRFIvrvz/NbwMtawZ/QD/B+kOolfKCNku9xkQ6wrHj6GikH4GYwWzfTZmpaOE4GC
      Dm8Axn5Ax+psLO10N4xwSxeB/zzygD4wDsQxP0kRg6lFIVQgfKmaJA07IcotCL9p
      M4ugQDGnWAjzBRqbvh5x37dc15C8F3fluSxC4yq5jv0EVeXooZISigG6Sr3rhpE=
      -----END CERTIFICATE-----
      subject=/CN=puppetmaster.local
      issuer=/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 2474 bytes and written 322 bytes
      ---
      New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
      Server public key is 4096 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      SSL-Session:
          Protocol  : SSLv3
          Cipher    : DHE-RSA-AES256-SHA
          Session-ID: 5447F9BA158D679AE17BAD85A384B43C5B1EE597F7F0AAC01418156FC9E08924
          Session-ID-ctx:
          Master-Key: 96B8081CB3EC675CF2CDD0546435760871491908C10E36E8ECA622155FFE4CAA0F851DC95F63C2C476727EDC985B2DD7
          Key-Arg   : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1414003130
          Timeout   : 7200 (sec)
          Verify return code: 21 (unable to verify the first certificate)
      ---
      �ActiveMQ
      �
              MaxFrameSize�������  CacheSize
                                               CacheEnabledSizePrefixDisabled MaxInactivityDurationInitalDelay'TcpNoDelayEnabledMaxInactivityDurationu0TightEncodingEnabledStackTraceEnabled
      

      Removing nio from both the stomp and openwire transport connector settings (and restarting activemq) actually removes the ability to talk over SSLv3 using the technique I posted before, however putting nio back in ignores those transport connector settings and allows SSLv3.

        Attachments

          Activity

            People

            • Assignee:
              tabish Timothy A. Bish
              Reporter:
              briancain Brian Cain
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: