You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/10/05 16:31:00 UTC
[jira] [Work logged] (ARTEMIS-3038) unwind defunct changes from
ARTEMIS-1264
[ https://issues.apache.org/jira/browse/ARTEMIS-3038?focusedWorklogId=660427&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-660427 ]
ASF GitHub Bot logged work on ARTEMIS-3038:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 05/Oct/21 16:30
Start Date: 05/Oct/21 16:30
Worklog Time Spent: 10m
Work Description: gemmellr opened a new pull request #3785:
URL: https://github.com/apache/activemq-artemis/pull/3785
Unwinds the effects of the RFC 2712 'Kerberos SSL ciphers' support added in ARTEMIS-1264. The functionality was recommended against use even then, and was removed entirely from JDK11. It has been disabled by default in JDK8 for a while. OpenSSL removed its equivalent support in 2015. It is no longer being tested, with the tests already removed (a3de3d4c75ba1482706e8c42a5c9b0f9811901eb) since no modern JVMs can do it out of the box.
The code has changed and moved around a lot since as the surrounding areas were updated, other functionality added etc, so this was a case of making the related unwinds rather than reverting what was added as such. The docs included a note of the support, including mention it is insecure, though the specific steps needed to configure and use it were seemingly never added.
Once #3696 lands this functionality becomes 100% defunct, but its largely already unusable and shouldn't really be used anyway so I don't think this PR needs to wait for that one.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 660427)
Remaining Estimate: 0h
Time Spent: 10m
> unwind defunct changes from ARTEMIS-1264
> ----------------------------------------
>
> Key: ARTEMIS-3038
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3038
> Project: ActiveMQ Artemis
> Issue Type: Task
> Affects Versions: 2.18.0
> Reporter: Clebert Suconic
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The changes made in ARTEMIS-1264 are essentially defunct and should be unwound. The Kerberos TLS cipher suites were already not recommended for use at the time due to being weak, they had already been removed entirely from Java 11 by then, and have been disabled by default in Java 8 releases for some time now, and do not work with TLS 1.3. OpenSSL removed the equivalent support from its source even earlier in May 2015, [https://mta.openssl.org/pipermail/openssl-users/2015-May/001406.html].
> The related tests have already been removed as they were failing, then ignored, and essentialy couldnt run anywhere. The non-test changes are now untested and essentially defunct already, but once releases require Java 11 they will become entirely unusable.
>
> Originally described with "CoreClientOverOneWaySSLKerb5Test#testOneWaySSLWithGoodClientCipherSuite is failing.... I set the test with an ignore .. until we investigate what we should do."
--
This message was sent by Atlassian Jira
(v8.3.4#803005)