Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
-
Using ActiveMQ 5.9.0
Description
If you are using nio+ssl and try to set specific protocols (i.e. TLS and not SSLv3) for openwire and or stomp with ssl, NIO will ignore those settings and allow SSLv3 anyway.
Setting specific transport protocols for activemq in my activemq.xml file:
<transportConnectors> <transportConnector name="openwire" uri="nio+ssl://0.0.0.0:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"> </transportConnector> <transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61613?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"> </transportConnector>
After changing this, I restarted activemq to ensure that those protocols were set correctly.
With this setting in activemq.xml, activemq should not be able to do a successful SSLv3 handshake, however using s_connect with openssl, I am able to get activemq to respond with SSLv3:
###########
# command run: openssl s_client -ssl3 -connect hostname.com:61616
###########
###########
# this is what should be displayed
###########
CONNECTED(00000003)
139975367284552:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139975367284552:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1414003656
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
###########
# this is what is actually shown
###########
CONNECTED(00000003)
depth=0 CN = puppetmaster.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = puppetmaster.local
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = puppetmaster.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=puppetmaster.local
i:/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFyzCCA7OgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMU8wTQYDVQQDDEZQdXBw
ZXQgQ0EgZ2VuZXJhdGVkIG9uIHB1cHBldG1hc3Rlci5sb2NhbCBhdCAyMDE0LTEw
LTIyIDExOjIwOjUyIC0wNzAwMB4XDTE0MTAyMTE4MjA1N1oXDTE5MTAyMTE4MjA1
N1owHTEbMBkGA1UEAwwScHVwcGV0bWFzdGVyLmxvY2FsMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAyehXPWPLEuNkvvl0PHbz5cIbg4i7v51P0FzYfxR7
sUt4455c4htfVpvEmWc1Ef5HD2MFViIAHorDMeGzNY2kAaX6xK2JVNhi8m8EJF7L
C0LncN59p/DIc5XBl6fFGu8FGaEZ1wvRSOyitcsWCk5Gk8Oi8w56/xV7WVJJ1Lch
PV62TZbKqDT8Ah/VcfIaCCWVCAB59/kIIGPJ8eI3aLdQv3f5h89ETiTr4yLtd1xm
z25qqPV2JZIh1yAGBCjBGsE6L41eyckZy9Tl1JZaDTRfOiXK6SkaK8NTNNbuXeQT
GkLusxpUL+FmisiH1ikazKZkyRuA0vMyQiakgUleVtACt4x+oLJ9askf5nx36wGu
HcU5kaIuy2d8cLq2CD+FKLOdH10+KiMlxCtHny4pY15LIzs3F1wjqoeLwpcoQwoM
57Qnef8UNV0sQGlp/HkSxnhDwXh5mrXGLkpi11glTx4CIs7Yz8s7yC1FCvw8/wAi
3oDrmSAgidZXKd0MT+PT+4PTDHbC+p2TG6noX+GnrAjhKFKWyw31ue9pUMX/X2Az
ExXiLFw2+zH+YsMNvHdTq4BM7G3s0tgQD3UQkWkDPk+0R3X14WDFTGUZ7oEb6Q+o
/R+SE8W/rEwRw/O2tE6Xq063DyB4EYI+bVojpwtqOwyCNkbbC5aNnraUWfuXMWJB
oqECAwEAAaOB4TCB3jA1BglghkgBhvhCAQ0EKFB1cHBldCBSdWJ5L09wZW5TU0wg
SW50ZXJuYWwgQ2VydGlmaWNhdGUwJQYDVR0RBB4wHIIGcHVwcGV0ghJwdXBwZXRt
YXN0ZXIubG9jYWwwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQSS72jRveOqBkQ
TbLxTT2j5DWLPDAfBgNVHSMEGDAWgBRKtJ+dt+VxU6IwhHMYMAY78E7BOTANBgkq
hkiG9w0BAQsFAAOCAgEATFMfxi1jFbnvTxiArZrL0RsA2mgBoU3p6gYhthmBWfzz
7OscRacWx7CvBXGdKi3oc2uyNVIsazS30Yw5vcfoTqUAT9TdsDLMf10h9AYp15ut
K1ebZUc9OIf00+zF/IT/+CFXM9eKzgBxs6fKUKCKngI+kDYRD+h5qmAhUCeAAR9B
+3kb8UV064Nlmla+x4zOZBzb+VSMWKSet/Sv4pMHusX2+ICvy0cRwwKmaVTzQVDS
uTNlElYUM0xRXb10tS95j4S7MSYkKu2VHLD5F5LB8KxjhCcorwa323DnCQkywJLQ
3S1UUH3recjoLeD9Huj8+EL7uEvQdloRPbS/2cWFKkJgXYc5t7yC7Dp8qKNzTuNy
COp68xunNPHh/JcS3wo4F/H7t2ve5IFnca4H/kSvLQWOQzmLfOrNhkn6ZJkqqGMo
zf2LHVvJpfAUV6ezR1O0i70GR3YkNIijok14WMinDOXN98VLMp0j9zWm5aBF5Chg
zRFIvrvz/NbwMtawZ/QD/B+kOolfKCNku9xkQ6wrHj6GikH4GYwWzfTZmpaOE4GC
Dm8Axn5Ax+psLO10N4xwSxeB/zzygD4wDsQxP0kRg6lFIVQgfKmaJA07IcotCL9p
M4ugQDGnWAjzBRqbvh5x37dc15C8F3fluSxC4yq5jv0EVeXooZISigG6Sr3rhpE=
-----END CERTIFICATE-----
subject=/CN=puppetmaster.local
issuer=/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700
---
No client certificate CA names sent
---
SSL handshake has read 2474 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 5447F9BA158D679AE17BAD85A384B43C5B1EE597F7F0AAC01418156FC9E08924
Session-ID-ctx:
Master-Key: 96B8081CB3EC675CF2CDD0546435760871491908C10E36E8ECA622155FFE4CAA0F851DC95F63C2C476727EDC985B2DD7
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1414003130
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
�ActiveMQ
�
MaxFrameSize������� CacheSize
CacheEnabledSizePrefixDisabled MaxInactivityDurationInitalDelay'TcpNoDelayEnabledMaxInactivityDurationu0TightEncodingEnabledStackTraceEnabled
Removing nio from both the stomp and openwire transport connector settings (and restarting activemq) actually removes the ability to talk over SSLv3 using the technique I posted before, however putting nio back in ignores those transport connector settings and allows SSLv3.