You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ta...@apache.org on 2013/08/08 22:26:24 UTC

svn commit: r1512017 - in /activemq/trunk: activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java

Author: tabish
Date: Thu Aug  8 20:26:23 2013
New Revision: 1512017

URL: http://svn.apache.org/r1512017
Log:
fix for: https://issues.apache.org/jira/browse/AMQ-4582

treat bad enabledCipherSuites option as non-recoverable.  

Added:
    activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java   (with props)
Modified:
    activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java

Modified: activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java?rev=1512017&r1=1512016&r2=1512017&view=diff
==============================================================================
--- activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java (original)
+++ activemq/trunk/activemq-client/src/main/java/org/apache/activemq/transport/tcp/TcpTransportServer.java Thu Aug  8 20:26:23 2013
@@ -33,6 +33,7 @@ import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;
 
 import javax.net.ServerSocketFactory;
+import javax.net.ssl.SSLServerSocket;
 
 import org.apache.activemq.Service;
 import org.apache.activemq.ThreadPriorities;
@@ -151,6 +152,27 @@ public class TcpTransportServer extends 
     private void configureServerSocket(ServerSocket socket) throws SocketException {
         socket.setSoTimeout(2000);
         if (transportOptions != null) {
+
+            // If the enabledCipherSuites option is invalid we don't want to ignore it as the call
+            // to SSLServerSocket to configure it has a side effect on the socket rendering it
+            // useless as all suites are enabled many of which are considered as insecure.  We
+            // instead trap that option here and throw an exception.  We should really consider
+            // all invalid options as breaking and not start the transport but the current design
+            // doesn't really allow for this.
+            //
+            //  see: https://issues.apache.org/jira/browse/AMQ-4582
+            //
+            if (socket instanceof SSLServerSocket) {
+                if (transportOptions.containsKey("enabledCipherSuites")) {
+                    Object cipherSuites = transportOptions.remove("enabledCipherSuites");
+
+                    if (!IntrospectionSupport.setProperty(socket, "enabledCipherSuites", cipherSuites)) {
+                        throw new SocketException(String.format(
+                            "Invalid transport options {enabledCipherSuites=%s}", cipherSuites));
+                    }
+                }
+            }
+
             IntrospectionSupport.setProperties(socket, transportOptions);
         }
     }

Added: activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java?rev=1512017&view=auto
==============================================================================
--- activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java (added)
+++ activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java Thu Aug  8 20:26:23 2013
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.bugs;
+
+import java.io.IOException;
+
+import javax.jms.Connection;
+import javax.jms.Session;
+
+import org.apache.activemq.broker.BrokerService;
+import org.apache.activemq.util.ConsumerThread;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AMQ4582Test {
+
+    private static final transient Logger LOG = LoggerFactory.getLogger(AMQ4582Test.class);
+
+    BrokerService broker;
+    Connection connection;
+    Session session;
+
+    public static final String KEYSTORE_TYPE = "jks";
+    public static final String PASSWORD = "password";
+    public static final String SERVER_KEYSTORE = "src/test/resources/server.keystore";
+    public static final String TRUST_KEYSTORE = "src/test/resources/client.keystore";
+
+    public static final int PRODUCER_COUNT = 10;
+    public static final int CONSUMER_COUNT = 10;
+    public static final int MESSAGE_COUNT = 1000;
+
+    final ConsumerThread[] consumers = new ConsumerThread[CONSUMER_COUNT];
+
+    @Before
+    public void setUp() throws Exception {
+        System.setProperty("javax.net.ssl.trustStore", TRUST_KEYSTORE);
+        System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD);
+        System.setProperty("javax.net.ssl.trustStoreType", KEYSTORE_TYPE);
+        System.setProperty("javax.net.ssl.keyStore", SERVER_KEYSTORE);
+        System.setProperty("javax.net.ssl.keyStoreType", KEYSTORE_TYPE);
+        System.setProperty("javax.net.ssl.keyStorePassword", PASSWORD);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        if (broker != null) {
+            try {
+                broker.stop();
+            } catch(Exception e) {}
+        }
+    }
+
+    @Rule public ExpectedException thrown = ExpectedException.none();
+    @Test
+    public void simpleTest() throws Exception {
+        thrown.expect(IOException.class);
+        thrown.expectMessage("enabledCipherSuites=BADSUITE");
+
+        broker = new BrokerService();
+        broker.setPersistent(false);
+        broker.setUseJmx(false);
+        try {
+            broker.addConnector(
+                "ssl://localhost:0?transport.needClientAuth=true&transport.enabledCipherSuites=BADSUITE");
+            broker.start();
+            broker.waitUntilStarted();
+        } catch (Exception e) {
+            LOG.info("BrokerService threw:", e);
+            throw e;
+        }
+    }
+}

Propchange: activemq/trunk/activemq-unit-tests/src/test/java/org/apache/activemq/bugs/AMQ4582Test.java
------------------------------------------------------------------------------
    svn:eol-style = native