[jira] [Commented] (ARTEMIS-3038) Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite

["Gary Tully (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/ARTEMIS-3038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258936#comment-17258936 ] 

Gary Tully commented on ARTEMIS-3038:
-------------------------------------

The first problem (and it may be sufficient) is that the  [3DES_EDE_CBC|[https://www.java.com/en/configure_crypto.html#3DESONTLS] ] cipher suite is disabled by default in the jdk and this requires modifications to the java.security policy file property to enable via {{jdk.tls.disabledAlgorithms }}which is not something we would want to do to our platform jdk installs going forward.

There is no other supported KRB5 TLS cypher suite that is considered secure that can be used as an alternative and I don't think the KRB5 suites will get further updated. SASL provides a better way to encapsulate the KRB5 negotiation, all be that it is only available on AMQP.

 I think we can leave this ignored for now and delete this test in the next release. There is some further problem with the host name resolution but I think that is related to dns.

 

> Investigate CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite
> -----------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-3038
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3038
>             Project: ActiveMQ Artemis
>          Issue Type: Task
>            Reporter: Clebert Suconic
>            Assignee: Gary Tully
>            Priority: Major
>
> CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is failing because of:
>  
> [https://www.oracle.com/security-alerts/poodlecve-2014-3566.html]
>  
> I set the test with an ignore .. until we investigate what we should do.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)