Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
-
Using ActiveMQ 5.9.0
Description
If you are using nio+ssl and try to set specific protocols (i.e. TLS and not SSLv3) for openwire and or stomp with ssl, NIO will ignore those settings and allow SSLv3 anyway.
Setting specific transport protocols for activemq in my activemq.xml file:
<transportConnectors> <transportConnector name="openwire" uri="nio+ssl://0.0.0.0:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"> </transportConnector> <transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61613?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"> </transportConnector>
After changing this, I restarted activemq to ensure that those protocols were set correctly.
With this setting in activemq.xml, activemq should not be able to do a successful SSLv3 handshake, however using s_connect with openssl, I am able to get activemq to respond with SSLv3:
########### # command run: openssl s_client -ssl3 -connect hostname.com:61616 ########### ########### # this is what should be displayed ########### CONNECTED(00000003) 139975367284552:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139975367284552:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1414003656 Timeout : 7200 (sec) Verify return code: 0 (ok) --- ########### # this is what is actually shown ########### CONNECTED(00000003) depth=0 CN = puppetmaster.local verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = puppetmaster.local verify error:num=27:certificate not trusted verify return:1 depth=0 CN = puppetmaster.local verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=puppetmaster.local i:/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700 --- Server certificate -----BEGIN CERTIFICATE----- MIIFyzCCA7OgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBRMU8wTQYDVQQDDEZQdXBw ZXQgQ0EgZ2VuZXJhdGVkIG9uIHB1cHBldG1hc3Rlci5sb2NhbCBhdCAyMDE0LTEw LTIyIDExOjIwOjUyIC0wNzAwMB4XDTE0MTAyMTE4MjA1N1oXDTE5MTAyMTE4MjA1 N1owHTEbMBkGA1UEAwwScHVwcGV0bWFzdGVyLmxvY2FsMIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEAyehXPWPLEuNkvvl0PHbz5cIbg4i7v51P0FzYfxR7 sUt4455c4htfVpvEmWc1Ef5HD2MFViIAHorDMeGzNY2kAaX6xK2JVNhi8m8EJF7L C0LncN59p/DIc5XBl6fFGu8FGaEZ1wvRSOyitcsWCk5Gk8Oi8w56/xV7WVJJ1Lch PV62TZbKqDT8Ah/VcfIaCCWVCAB59/kIIGPJ8eI3aLdQv3f5h89ETiTr4yLtd1xm z25qqPV2JZIh1yAGBCjBGsE6L41eyckZy9Tl1JZaDTRfOiXK6SkaK8NTNNbuXeQT GkLusxpUL+FmisiH1ikazKZkyRuA0vMyQiakgUleVtACt4x+oLJ9askf5nx36wGu HcU5kaIuy2d8cLq2CD+FKLOdH10+KiMlxCtHny4pY15LIzs3F1wjqoeLwpcoQwoM 57Qnef8UNV0sQGlp/HkSxnhDwXh5mrXGLkpi11glTx4CIs7Yz8s7yC1FCvw8/wAi 3oDrmSAgidZXKd0MT+PT+4PTDHbC+p2TG6noX+GnrAjhKFKWyw31ue9pUMX/X2Az ExXiLFw2+zH+YsMNvHdTq4BM7G3s0tgQD3UQkWkDPk+0R3X14WDFTGUZ7oEb6Q+o /R+SE8W/rEwRw/O2tE6Xq063DyB4EYI+bVojpwtqOwyCNkbbC5aNnraUWfuXMWJB oqECAwEAAaOB4TCB3jA1BglghkgBhvhCAQ0EKFB1cHBldCBSdWJ5L09wZW5TU0wg SW50ZXJuYWwgQ2VydGlmaWNhdGUwJQYDVR0RBB4wHIIGcHVwcGV0ghJwdXBwZXRt YXN0ZXIubG9jYWwwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQGCCsGAQUF BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQSS72jRveOqBkQ TbLxTT2j5DWLPDAfBgNVHSMEGDAWgBRKtJ+dt+VxU6IwhHMYMAY78E7BOTANBgkq hkiG9w0BAQsFAAOCAgEATFMfxi1jFbnvTxiArZrL0RsA2mgBoU3p6gYhthmBWfzz 7OscRacWx7CvBXGdKi3oc2uyNVIsazS30Yw5vcfoTqUAT9TdsDLMf10h9AYp15ut K1ebZUc9OIf00+zF/IT/+CFXM9eKzgBxs6fKUKCKngI+kDYRD+h5qmAhUCeAAR9B +3kb8UV064Nlmla+x4zOZBzb+VSMWKSet/Sv4pMHusX2+ICvy0cRwwKmaVTzQVDS uTNlElYUM0xRXb10tS95j4S7MSYkKu2VHLD5F5LB8KxjhCcorwa323DnCQkywJLQ 3S1UUH3recjoLeD9Huj8+EL7uEvQdloRPbS/2cWFKkJgXYc5t7yC7Dp8qKNzTuNy COp68xunNPHh/JcS3wo4F/H7t2ve5IFnca4H/kSvLQWOQzmLfOrNhkn6ZJkqqGMo zf2LHVvJpfAUV6ezR1O0i70GR3YkNIijok14WMinDOXN98VLMp0j9zWm5aBF5Chg zRFIvrvz/NbwMtawZ/QD/B+kOolfKCNku9xkQ6wrHj6GikH4GYwWzfTZmpaOE4GC Dm8Axn5Ax+psLO10N4xwSxeB/zzygD4wDsQxP0kRg6lFIVQgfKmaJA07IcotCL9p M4ugQDGnWAjzBRqbvh5x37dc15C8F3fluSxC4yq5jv0EVeXooZISigG6Sr3rhpE= -----END CERTIFICATE----- subject=/CN=puppetmaster.local issuer=/CN=Puppet CA generated on puppetmaster.local at 2014-10-22 11:20:52 -0700 --- No client certificate CA names sent --- SSL handshake has read 2474 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 5447F9BA158D679AE17BAD85A384B43C5B1EE597F7F0AAC01418156FC9E08924 Session-ID-ctx: Master-Key: 96B8081CB3EC675CF2CDD0546435760871491908C10E36E8ECA622155FFE4CAA0F851DC95F63C2C476727EDC985B2DD7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1414003130 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- �ActiveMQ � MaxFrameSize������� CacheSize CacheEnabledSizePrefixDisabled MaxInactivityDurationInitalDelay'TcpNoDelayEnabledMaxInactivityDurationu0TightEncodingEnabledStackTraceEnabled
Removing nio from both the stomp and openwire transport connector settings (and restarting activemq) actually removes the ability to talk over SSLv3 using the technique I posted before, however putting nio back in ignores those transport connector settings and allows SSLv3.