You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ta...@apache.org on 2013/08/08 22:26:24 UTC
svn commit: r1512017 - in /activemq/trunk:
activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java
Author: tabish
Date: Thu Aug 8 20:26:23 2013
New Revision: 1512017
URL: http://svn.apache.org/r1512017
Log:
fix for: https://issues.apache.org/jira/browse/AMQ-4582
treat bad enabledCipherSuites option as non-recoverable.
Added:
activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java (with props)
Modified:
activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
Modified: activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java?rev=1512017&r1=1512016&r2=1512017&view=diff
==============================================================================
--- activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java (original)
+++ activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java Thu Aug 8 20:26:23 2013
@@ -33,6 +33,7 @@ import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import javax.net.ServerSocketFactory;
+import javax.net.ssl.SSLServerSocket;
import org.apache.activemq.Service;
import org.apache.activemq.ThreadPriorities;
@@ -151,6 +152,27 @@ public class TcpTransportServer extends
private void configureServerSocket(ServerSocket socket) throws SocketException {
socket.setSoTimeout(2000);
if (transportOptions != null) {
+
+ // If the enabledCipherSuites option is invalid we don't want to ignore it as the call
+ // to SSLServerSocket to configure it has a side effect on the socket rendering it
+ // useless as all suites are enabled many of which are considered as insecure. We
+ // instead trap that option here and throw an exception. We should really consider
+ // all invalid options as breaking and not start the transport but the current design
+ // doesn't really allow for this.
+ //
+ // see: https://issues.apache.org/jira/browse/AMQ-4582
+ //
+ if (socket instanceof SSLServerSocket) {
+ if (transportOptions.containsKey("enabledCipherSuites")) {
+ Object cipherSuites = transportOptions.remove("enabledCipherSuites");
+
+ if (!IntrospectionSupport.setProperty(socket, "enabledCipherSuites", cipherSuites)) {
+ throw new SocketException(String.format(
+ "Invalid transport options {enabledCipherSuites=%s}", cipherSuites));
+ }
+ }
+ }
+
IntrospectionSupport.setProperties(socket, transportOptions);
}
}
Added: activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java?rev=1512017&view=auto
==============================================================================
--- activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java (added)
+++ activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java Thu Aug 8 20:26:23 2013
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.bugs;
+
+import java.io.IOException;
+
+import javax.jms.Connection;
+import javax.jms.Session;
+
+import org.apache.activemq.broker.BrokerService;
+import org.apache.activemq.util.ConsumerThread;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AMQ4582Test {
+
+ private static final transient Logger LOG = LoggerFactory.getLogger(AMQ4582Test.class);
+
+ BrokerService broker;
+ Connection connection;
+ Session session;
+
+ public static final String KEYSTORE_TYPE = "jks";
+ public static final String PASSWORD = "password";
+ public static final String SERVER_KEYSTORE = "src/test/resources/server.keystore";
+ public static final String TRUST_KEYSTORE = "src/test/resources/client.keystore";
+
+ public static final int PRODUCER_COUNT = 10;
+ public static final int CONSUMER_COUNT = 10;
+ public static final int MESSAGE_COUNT = 1000;
+
+ final ConsumerThread[] consumers = new ConsumerThread[CONSUMER_COUNT];
+
+ @Before
+ public void setUp() throws Exception {
+ System.setProperty("javax.net.ssl.trustStore", TRUST_KEYSTORE);
+ System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD);
+ System.setProperty("javax.net.ssl.trustStoreType", KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.keyStore", SERVER_KEYSTORE);
+ System.setProperty("javax.net.ssl.keyStoreType", KEYSTORE_TYPE);
+ System.setProperty("javax.net.ssl.keyStorePassword", PASSWORD);
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ if (broker != null) {
+ try {
+ broker.stop();
+ } catch(Exception e) {}
+ }
+ }
+
+ @Rule public ExpectedException thrown = ExpectedException.none();
+ @Test
+ public void simpleTest() throws Exception {
+ thrown.expect(IOException.class);
+ thrown.expectMessage("enabledCipherSuites=BADSUITE");
+
+ broker = new BrokerService();
+ broker.setPersistent(false);
+ broker.setUseJmx(false);
+ try {
+ broker.addConnector(
+ "ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=BADSUITE");
+ broker.start();
+ broker.waitUntilStarted();
+ } catch (Exception e) {
+ LOG.info("BrokerService threw:", e);
+ throw e;
+ }
+ }
+}
Propchange: activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java
------------------------------------------------------------------------------
svn:eol-style = native