You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Shrisha Chandrashekar (JIRA)" <ji...@apache.org> on 2009/09/11 07:43:12 UTC
[jira] Created: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
The activeMQ port supports low and medium strength ciphers
-----------------------------------------------------------
Key: AMQ-2384
URL: https://issues.apache.org/activemq/browse/AMQ-2384
Project: ActiveMQ
Issue Type: Bug
Components: Connector
Affects Versions: 5.2.0
Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
Reporter: Shrisha Chandrashekar
Fix For: 5.3.0
On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Phil Pickett (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58396#action_58396 ]
Phil Pickett commented on AMQ-2384:
-----------------------------------
Is this the correct way to set the SSL enabledCipherSuites with this patch applied?
<transportConnectors>
<transportConnector name="openwire" uri="ssl://0.0.0.0:61616?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"/>
</transportConnectors>
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Michael Chen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=60565#action_60565 ]
Michael Chen commented on AMQ-2384:
-----------------------------------
David and Gary,
I need to backport this fix to 5.3.2, but I can only see IntrospectionSupport.java and StringArrayEditor.java changes in the trunk. The SslTransportServer.java change attached by Phil (SSLEnableCiphers.patch) is not in the trunk.
What are the changes beside those former two?
Thanks
--Michael
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks reopened AMQ-2384:
-------------------------------
The change introduces a pretty hard dependency on spring classes, otherwise unnecessary to run amq (geronimo is running amq under aries bluerpint). Geronimo has some code that produces a StringArrayEditor, I'll look into porting it.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=54240#action_54240 ]
Gary Tully commented on AMQ-2384:
---------------------------------
if introspection support can deal with a string[], uri parameters of the form "socket.xxx" could do it on the server url to set the enabled cipher suites on an ssl socket. Configuration of the tls layer could also achieve this.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.3.0
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Phil Pickett (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58454#action_58454 ]
Phil Pickett commented on AMQ-2384:
-----------------------------------
Gary - Have I enabled the CipherSuites correctly with the URI shown above? It seems to match the test case. Thanks, Phil
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Tully updated AMQ-2384:
----------------------------
Attachment: setSslSocketOptions.patch
this is a patch that makes an effort to get setting ssl options via ?transport.XX options but there is a problem with permissions on it atm
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Phil Pickett (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Phil Pickett updated AMQ-2384:
------------------------------
Attachment: SSLEnableCiphers.patch
ActiveMQ 5.3 based patch to implement transport's enabledCipherSuites option
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Phil Pickett (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58565#action_58565 ]
Phil Pickett commented on AMQ-2384:
-----------------------------------
Gary, I've added a couple mods to the SslTransportServer.java class and created a new 5.3-based patch (SSLEnableCiphers.patch) containing these along your changes. With the resulting activemq-core-5.3.0.jar and transportConnect:
<transportConnector name="openwire" uri="ssl://0.0.0.0:61616?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"/>
I am able to disable low ciphers.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Tully resolved AMQ-2384.
-----------------------------
Resolution: Fixed
applied some changes in r929618 to support this so that it will make 5.4
Phil, I did not apply your patch directly but went back to why the introspector was not working and there was a simple fix to ensure we did not reference the internal tls impl class for reflection. With that change, it is possible to set arbitrary options on SSLServerSocket via transportOptions and with the properties editor to pass a string array argument.
I added some test that demonstrate. Thanks for your work on this and the patch, it helped :-)
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (AMQ-2384) The activeMQ port supports
low and medium strength ciphers
Posted by "Phil Pickett (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58566#action_58566 ]
Phil Pickett edited comment on AMQ-2384 at 3/30/10 7:55 PM:
------------------------------------------------------------
ActiveMQ 5.3 based patch to implement transport's enabledCipherSuites option.
My activemq.xml is standard for 5.3 with the following additions:
<amq:sslContext>
<amq:sslContext
protocol="SSLv3"
keyStore="file:${activemq.base}/SSL/broker.ks" keyStorePassword="changeit"
trustStore="file:${activemq.base}/SSL/client.ts" trustStorePassword="changeit"/>
</amq:sslContext>
-- and --
<transportConnectors>
<transportConnector name="openwire" uri="ssl://0.0.0.0:61616?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"/>
</transportConnectors>
My goal was to disable low ciphers as documented here for Tomcat:
http://www.cpug.org/forums/check-point-utm-1-appliances/11716-pci-vulnerability-assessment-report-utm-1-total-security-570-a.html
To test this, I used the ssl-cipher-check.pl script from http://www.unspecific.com/ssl/. With the above transport URI (and without the enabledCipherSuites option and the patch) the script returns 22 total ciphers and 10 WEAK ciphers. With the patch and the option, the script returns 6 ciphers found. See output below.
Phil
[phil@fedora12 perl]$ ./ssl-cipher-check.pl localhost 61616
Testing localhost:61616
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits
** SSLv3:EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 56 bits **
SSLv3:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
** SSLv3:EXP-EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits
** TLSv1:EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 56 bits **
TLSv1:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
** TLSv1:EXP-EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
WARNING: Self Signed Certificate
*WARNING* 10 WEAK Ciphers Enabled.
Total Ciphers Enabled: 22
[phil@fedora12 perl]$ ./ssl-cipher-check.pl localhost 61616
Testing localhost:61616
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
WARNING: Self Signed Certificate
Total Ciphers Enabled: 6
was (Author: phil.pickett@springsource.com):
ActiveMQ 5.3 based patch to implement transport's enabledCipherSuites option
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks resolved AMQ-2384.
-------------------------------
Resolution: Fixed
Adapted geronimo code for StringArrayEditor in rev 930041.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (AMQ-2384) The activeMQ port supports
low and medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=60595#action_60595 ]
Gary Tully edited comment on AMQ-2384 at 7/12/10 5:33 AM:
----------------------------------------------------------
There are no more changes required. That is it, http://fisheye6.atlassian.com/changelog/activemq?cs=929618 and 930041
Note the test /activemq/trunk/activemq-core/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java that will show that it works.
was (Author: gtully):
There are no more changes required. That is it, http://fisheye6.atlassian.com/changelog/activemq?cs=929618 and 930041
Not the test /activemq/trunk/activemq-core/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java that will show that it works.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Tully reassigned AMQ-2384:
-------------------------------
Assignee: Gary Tully
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Phil Pickett (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58399#action_58399 ]
Phil Pickett commented on AMQ-2384:
-----------------------------------
Gary - That was operator error on my part. I assumed this was setup with a default of "das,ras" but was also configurable in the activemq.xml. I should have known better since I didn't see anything in the patch to allow that. I think I picked up exactly what was expected in my scan. I'll rebuild after setting my preferred cipher suites and check again.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Shrisha Chandrashekar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58572#action_58572 ]
Shrisha Chandrashekar commented on AMQ-2384:
--------------------------------------------
Phil,
So will this fix be available with 5.4.0 ?
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=60595#action_60595 ]
Gary Tully commented on AMQ-2384:
---------------------------------
There are no more changes required. That is it, http://fisheye6.atlassian.com/changelog/activemq?cs=929618 and 930041
Not the test /activemq/trunk/activemq-core/src/test/java/org/apache/activemq/transport/tcp/SslBrokerServiceTest.java that will show that it works.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Assignee: Gary Tully
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch, SSLEnableCiphers.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Rob Davies (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rob Davies updated AMQ-2384:
----------------------------
Fix Version/s: (was: 5.3.0)
5.4.0
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58397#action_58397 ]
Gary Tully commented on AMQ-2384:
---------------------------------
The patch just allows list values to be passed as arguments, from the test in the patch, it looks like {code}return "ssl://localhost:0?transport.enabledCipherSuites=das,ras"{code} is what is expected.
The values are passed to http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[]) so they need to match whatever is returned from http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#getEnabledCipherSuites()
What are you seeing?
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Shrisha Chandrashekar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=54289#action_54289 ]
Shrisha Chandrashekar commented on AMQ-2384:
--------------------------------------------
Ya.. i tried specifying the ciphers as a uri parameter "socket.enabledCipherSuites" , by using comma separated strings , seems like this does not work. I dont think the introspection support can deal with String[]. We want to do this at the application level rather than at the system level so configuring the tls layer is not a good alternative. I feel we need to provide a tag for specifying the ciphers under the <TransportConnector> , but not sure if its the right way to do this.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58455#action_58455 ]
Gary Tully commented on AMQ-2384:
---------------------------------
Phil, recall that I never got this patch to work completely, I got some weird permissions errors. The main bit of the patch was to allow lists to be set as properties. It may need some more work and some more tests. It was only intended as place holder for a 'good start' to a solution.
Gary.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AMQ-2384) The activeMQ port supports low and
medium strength ciphers
Posted by "Phil Pickett (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/AMQ-2384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=58401#action_58401 ]
Phil Pickett commented on AMQ-2384:
-----------------------------------
Actually, I looked at the test case and modified my transport connector config in what I thought was the way to enable the ciphers I wanted with:
<transportConnector name="openwire" uri="ssl://0.0.0.0:61616?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"/>
It looks to me when running an SSL scan that this is not being set. When I run a PCI scan against a similarly configured Tomcat instance I see the weak ciphers are disabled.
> The activeMQ port supports low and medium strength ciphers
> -----------------------------------------------------------
>
> Key: AMQ-2384
> URL: https://issues.apache.org/activemq/browse/AMQ-2384
> Project: ActiveMQ
> Issue Type: Bug
> Components: Connector
> Affects Versions: 5.2.0
> Environment: We are running the ActiveMQ 5.2.0 over a SLES 11 64 bit machine. In the configuration file activemq.xml there is no way to specify the supported ciphers.
> Reporter: Shrisha Chandrashekar
> Fix For: 5.4.0
>
> Attachments: setSslSocketOptions.patch
>
>
> On running a Tenable nessus scan against the machine where ActiveMQ is running, we see that the port 61616 , the TCP connector port accepts Low and Medium strength ciphers by default. This may be a security risk and therefore we need a way to specify which ciphers to support.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.