You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2020/02/25 18:03:31 UTC
[activemq-artemis] branch master updated: ARTEMIS-2627
simpleSecureServer failing on IBM Java 8 JVM
This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/master by this push:
new 1e9be7d ARTEMIS-2627 simpleSecureServer failing on IBM Java 8 JVM
new 0092302 This closes #2990
1e9be7d is described below
commit 1e9be7ddc9932e73e72fe5c88658e04ef427b55a
Author: brusdev <br...@gmail.com>
AuthorDate: Sat Feb 22 13:41:19 2020 +0100
ARTEMIS-2627 simpleSecureServer failing on IBM Java 8 JVM
Remove excluded cipher suites matching the prefix `SSL` because the names of the
IBM Java 8 JVM cipher suites have the prefix `SSL` while the
`DEFAULT_EXCLUDED_CIPHER_SUITES` of org.eclipse.jetty.util.ssl.SslContextFactory
includes "^SSL_.*$". So all IBM JVM cipher suites are excluded by
SslContextFactory using the `DEFAULT_EXCLUDED_CIPHER_SUITES`.
---
artemis-dto/pom.xml | 5 ++
.../apache/activemq/artemis/dto/WebServerDTO.java | 60 +++++++++++++++
.../artemis/dto/test/WebServerDTOTest.java | 85 ++++++++++++++++++++++
.../artemis/component/WebServerComponent.java | 14 ++++
.../activemq/cli/test/WebServerComponentTest.java | 31 ++++++++
docs/user-manual/en/web-server.md | 8 ++
6 files changed, 203 insertions(+)
diff --git a/artemis-dto/pom.xml b/artemis-dto/pom.xml
index ba86351..c085263 100644
--- a/artemis-dto/pom.xml
+++ b/artemis-dto/pom.xml
@@ -60,6 +60,11 @@
<artifactId>activation</artifactId>
<version>${version.activation}</version>
</dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/WebServerDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/WebServerDTO.java
index 8987b42..292ceff 100644
--- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/WebServerDTO.java
+++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/WebServerDTO.java
@@ -59,6 +59,18 @@ public class WebServerDTO extends ComponentDTO {
@XmlAttribute
private String trustStorePassword;
+ @XmlAttribute
+ private String includedTLSProtocols;
+
+ @XmlAttribute
+ private String excludedTLSProtocols;
+
+ @XmlAttribute
+ private String includedCipherSuites;
+
+ @XmlAttribute
+ private String excludedCipherSuites;
+
public WebServerDTO() {
componentClassName = "org.apache.activemq.artemis.component.WebServerComponent";
}
@@ -82,4 +94,52 @@ public class WebServerDTO extends ComponentDTO {
public void setTrustStorePassword(String trustStorePassword) {
this.trustStorePassword = trustStorePassword;
}
+
+ private String[] unmarshalArray(String text) {
+ if (text == null) {
+ return null;
+ }
+
+ return text.split(",");
+ }
+
+ private String marshalArray(String[] array) {
+ if (array == null) {
+ return null;
+ }
+
+ return String.join(",", array);
+ }
+
+ public String[] getIncludedTLSProtocols() {
+ return unmarshalArray(includedTLSProtocols);
+ }
+
+ public void setIncludedTLSProtocols(String... protocols) {
+ includedTLSProtocols = marshalArray(protocols);
+ }
+
+ public String[] getExcludedTLSProtocols() {
+ return unmarshalArray(excludedTLSProtocols);
+ }
+
+ public void setExcludedTLSProtocols(String... protocols) {
+ excludedTLSProtocols = marshalArray(protocols);
+ }
+
+ public String[] getIncludedCipherSuites() {
+ return unmarshalArray(includedCipherSuites);
+ }
+
+ public void setIncludedCipherSuites(String... cipherSuites) {
+ includedCipherSuites = marshalArray(cipherSuites);
+ }
+
+ public String[] getExcludedCipherSuites() {
+ return unmarshalArray(excludedCipherSuites);
+ }
+
+ public void setExcludedCipherSuites(String... cipherSuites) {
+ excludedCipherSuites = marshalArray(cipherSuites);
+ }
}
diff --git a/artemis-dto/src/test/java/org/apache/activemq/artemis/dto/test/WebServerDTOTest.java b/artemis-dto/src/test/java/org/apache/activemq/artemis/dto/test/WebServerDTOTest.java
new file mode 100644
index 0000000..bd51f6f
--- /dev/null
+++ b/artemis-dto/src/test/java/org/apache/activemq/artemis/dto/test/WebServerDTOTest.java
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.dto.test;
+
+import org.apache.activemq.artemis.dto.WebServerDTO;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class WebServerDTOTest extends Assert {
+
+ @Test
+ public void testDefault() {
+ WebServerDTO webServer = new WebServerDTO();
+
+ Assert.assertNull(webServer.getIncludedTLSProtocols());
+ Assert.assertNull(webServer.getExcludedTLSProtocols());
+ Assert.assertNull(webServer.getIncludedCipherSuites());
+ Assert.assertNull(webServer.getExcludedCipherSuites());
+ }
+
+ @Test
+ public void testValues() {
+ WebServerDTO webServer = new WebServerDTO();
+
+ webServer.setIncludedTLSProtocols("TLSv1.2");
+ Assert.assertArrayEquals(new String[] {"TLSv1.2"}, webServer.getIncludedTLSProtocols());
+
+ webServer.setExcludedTLSProtocols("TLSv1,TLSv1.1");
+ Assert.assertArrayEquals(new String[] {"TLSv1", "TLSv1.1"}, webServer.getExcludedTLSProtocols());
+
+ webServer.setIncludedCipherSuites( "^SSL_.*$");
+ Assert.assertArrayEquals(new String[] {"^SSL_.*$"}, webServer.getIncludedCipherSuites());
+
+ webServer.setExcludedCipherSuites( "^.*_(MD5|SHA|SHA1)$,^TLS_RSA_.*$,^.*_NULL_.*$,^.*_anon_.*$");
+ Assert.assertArrayEquals(new String[] {"^.*_(MD5|SHA|SHA1)$", "^TLS_RSA_.*$", "^.*_NULL_.*$", "^.*_anon_.*$"}, webServer.getExcludedCipherSuites());
+ }
+
+ @Test
+ public void testEmptyValues() {
+ WebServerDTO webServer = new WebServerDTO();
+
+ webServer.setIncludedTLSProtocols("");
+ Assert.assertArrayEquals(new String[] {""}, webServer.getIncludedTLSProtocols());
+
+ webServer.setExcludedTLSProtocols("");
+ Assert.assertArrayEquals(new String[] {""}, webServer.getExcludedTLSProtocols());
+
+ webServer.setIncludedCipherSuites("");
+ Assert.assertArrayEquals(new String[] {""}, webServer.getIncludedCipherSuites());
+
+ webServer.setExcludedCipherSuites("");
+ Assert.assertArrayEquals(new String[] {""}, webServer.getExcludedCipherSuites());
+ }
+
+ @Test
+ public void testNullValues() {
+ WebServerDTO webServer = new WebServerDTO();
+
+ webServer.setIncludedTLSProtocols(null);
+ Assert.assertNull(webServer.getIncludedTLSProtocols());
+
+ webServer.setExcludedTLSProtocols(null);
+ Assert.assertNull(webServer.getExcludedTLSProtocols());
+
+ webServer.setIncludedCipherSuites(null);
+ Assert.assertNull(webServer.getIncludedCipherSuites());
+
+ webServer.setExcludedCipherSuites(null);
+ Assert.assertNull(webServer.getExcludedCipherSuites());
+ }
+}
diff --git a/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java b/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
index 2635d67..e20bbed 100644
--- a/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
+++ b/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
@@ -72,6 +72,20 @@ public class WebServerComponent implements ExternalComponent {
SslContextFactory.Server sslFactory = new SslContextFactory.Server();
sslFactory.setKeyStorePath(webServerConfig.keyStorePath == null ? artemisInstance + "/etc/keystore.jks" : webServerConfig.keyStorePath);
sslFactory.setKeyStorePassword(webServerConfig.getKeyStorePassword() == null ? "password" : webServerConfig.getKeyStorePassword());
+ String[] ips = sslFactory.getIncludeProtocols();
+
+ if (webServerConfig.getIncludedTLSProtocols() != null) {
+ sslFactory.setIncludeProtocols(webServerConfig.getIncludedTLSProtocols());
+ }
+ if (webServerConfig.getExcludedTLSProtocols() != null) {
+ sslFactory.setExcludeProtocols(webServerConfig.getExcludedTLSProtocols());
+ }
+ if (webServerConfig.getIncludedCipherSuites() != null) {
+ sslFactory.setIncludeCipherSuites(webServerConfig.getIncludedCipherSuites());
+ }
+ if (webServerConfig.getExcludedCipherSuites() != null) {
+ sslFactory.setExcludeCipherSuites(webServerConfig.getExcludedCipherSuites());
+ }
if (webServerConfig.clientAuth != null) {
sslFactory.setNeedClientAuth(webServerConfig.clientAuth);
if (webServerConfig.clientAuth) {
diff --git a/artemis-web/src/test/java/org/apache/activemq/cli/test/WebServerComponentTest.java b/artemis-web/src/test/java/org/apache/activemq/cli/test/WebServerComponentTest.java
index fb6461e..5143714 100644
--- a/artemis-web/src/test/java/org/apache/activemq/cli/test/WebServerComponentTest.java
+++ b/artemis-web/src/test/java/org/apache/activemq/cli/test/WebServerComponentTest.java
@@ -22,9 +22,11 @@ import java.io.File;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
import io.netty.bootstrap.Bootstrap;
import io.netty.channel.Channel;
@@ -51,6 +53,7 @@ import org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport;
import org.apache.activemq.artemis.core.server.ActiveMQComponent;
import org.apache.activemq.artemis.dto.BrokerDTO;
import org.apache.activemq.artemis.dto.WebServerDTO;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -169,6 +172,15 @@ public class WebServerComponentTest extends Assert {
webServerDTO.path = "webapps";
webServerDTO.keyStorePath = "./src/test/resources/server.keystore";
webServerDTO.setKeyStorePassword("password");
+ if (System.getProperty("java.vendor").contains("IBM")) {
+ //By default on IBM Java 8 JVM, org.eclipse.jetty.util.ssl.SslContextFactory doesn't include TLSv1.2
+ // while it excludes all TLSv1 and TLSv1.1 cipher suites.
+ webServerDTO.setIncludedTLSProtocols("TLSv1.2");
+ // Remove excluded cipher suites matching the prefix `SSL` because the names of the IBM Java 8 JVM cipher suites
+ // have the prefix `SSL` while the `DEFAULT_EXCLUDED_CIPHER_SUITES` of org.eclipse.jetty.util.ssl.SslContextFactory
+ // includes "^SSL_.*$". So all IBM JVM cipher suites are excluded by SslContextFactory using the `DEFAULT_EXCLUDED_CIPHER_SUITES`.
+ webServerDTO.setExcludedCipherSuites(Arrays.stream(new SslContextFactory.Server().getExcludeCipherSuites()).filter(s -> !Pattern.matches(s, "SSL_")).toArray(String[]::new));
+ }
WebServerComponent webServerComponent = new WebServerComponent();
Assert.assertFalse(webServerComponent.isStarted());
@@ -188,6 +200,11 @@ public class WebServerComponentTest extends Assert {
SSLEngine engine = context.createSSLEngine();
engine.setUseClientMode(true);
engine.setWantClientAuth(true);
+ if (System.getProperty("java.vendor").contains("IBM")) {
+ //By default on IBM Java 8 JVM, SSLEngine doesn't enable TLSv1.2 while
+ // org.eclipse.jetty.util.ssl.SslContextFactory excludes all TLSv1 and TLSv1.1 cipher suites.
+ engine.setEnabledProtocols(new String[] {"TLSv1.2"});
+ }
final SslHandler sslHandler = new SslHandler(engine);
CountDownLatch latch = new CountDownLatch(1);
@@ -229,6 +246,15 @@ public class WebServerComponentTest extends Assert {
webServerDTO.clientAuth = true;
webServerDTO.trustStorePath = "./src/test/resources/server.keystore";
webServerDTO.setTrustStorePassword("password");
+ if (System.getProperty("java.vendor").contains("IBM")) {
+ //By default on IBM Java 8 JVM, org.eclipse.jetty.util.ssl.SslContextFactory doesn't include TLSv1.2
+ // while it excludes all TLSv1 and TLSv1.1 cipher suites.
+ webServerDTO.setIncludedTLSProtocols("TLSv1.2");
+ // Remove excluded cipher suites matching the prefix `SSL` because the names of the IBM Java 8 JVM cipher suites
+ // have the prefix `SSL` while the `DEFAULT_EXCLUDED_CIPHER_SUITES` of org.eclipse.jetty.util.ssl.SslContextFactory
+ // includes "^SSL_.*$". So all IBM JVM cipher suites are excluded by SslContextFactory using the `DEFAULT_EXCLUDED_CIPHER_SUITES`.
+ webServerDTO.setExcludedCipherSuites(Arrays.stream(new SslContextFactory.Server().getExcludeCipherSuites()).filter(s -> !Pattern.matches(s, "SSL_")).toArray(String[]::new));
+ }
WebServerComponent webServerComponent = new WebServerComponent();
Assert.assertFalse(webServerComponent.isStarted());
@@ -248,6 +274,11 @@ public class WebServerComponentTest extends Assert {
SSLEngine engine = context.createSSLEngine();
engine.setUseClientMode(true);
engine.setWantClientAuth(true);
+ if (System.getProperty("java.vendor").contains("IBM")) {
+ //By default on IBM Java 8 JVM, SSLEngine doesn't enable TLSv1.2 while
+ // org.eclipse.jetty.util.ssl.SslContextFactory excludes all TLSv1 and TLSv1.1 cipher suites.
+ engine.setEnabledProtocols(new String[] {"TLSv1.2"});
+ }
final SslHandler sslHandler = new SslHandler(engine);
CountDownLatch latch = new CountDownLatch(1);
diff --git a/docs/user-manual/en/web-server.md b/docs/user-manual/en/web-server.md
index 2a403ad..8885305 100644
--- a/docs/user-manual/en/web-server.md
+++ b/docs/user-manual/en/web-server.md
@@ -41,6 +41,14 @@ The `web` element has the following attributes:
using `https`. Can be masked using `ENC()` syntax or by defining
`passwordCodec`. See more in the [password masking](masking-passwords.md)
chapter.
+- `includedTLSProtocols` A comma seperated list of included TLS protocols,
+ ie `"TLSv1,TLSv1.1,TLSv1.2"`. Only applicable when using `https`.
+- `excludedTLSProtocols` A comma seperated list of excluded TLS protocols,
+ ie `"TLSv1,TLSv1.1,TLSv1.2"`. Only applicable when using `https`.
+- `includedCipherSuites` A comma seperated list of included cipher suites.
+ Only applicable when using `https`.
+- `excludedCipherSuites` A comma seperated list of excluded cipher suites.
+ Only applicable when using `https`.
Each web application should be defined in an `app` element. The `app` element
has the following attributes: