Bug 1165456

Summary: (6.4.0) HornetQ: Disallow SSLv3 [6.4.0][defense-in-depth]
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Arun Babu Neelicattu <aneelica>
Component: HornetQAssignee: Justin Bertram <jbertram>
Status: CLOSED CURRENTRELEASE QA Contact: Miroslav Novak <mnovak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: bbaranow, cdewolf, csuconic, grocha, jawilson, jbertram, kkhan, mnovak, msvehla
Target Milestone: DR13Keywords: Security
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In this release of JBoss EAP 6, SSLv3 has been disabled due to the recently uncovered POODLE vulnerability. More information about POODLE can be found in in Oracle's security topics: http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:43:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1165463, 1166735    

Description Arun Babu Neelicattu 2014-11-19 02:24:40 UTC 
In light of POODLE, it is recommended that the use of SSLv3 be disabled as a hardening measure. This has been already done upstream via jira HORNETQ-1444. The relevant upstream commit is at [1]. We also recommend SSL support be dropped in favor of TLS protocols if feasible.

[1] https://github.com/hornetq/hornetq/commit/e9825f22568eacfb40058ce5177497cbaf2af1a0
Comment 1 Clebert Suconic 2014-11-19 19:40:51 UTC 
My understanding is that Jimmy was checking with security if we should back port this one or not based on the security team directives.

Justin posted changes for this already on our upstream.. we just need to verify if we should back port this or not.

Jimmy?
Comment 2 Clebert Suconic 2014-11-20 14:31:52 UTC 
PR sent: https://github.com/hornetq/hornetq/pull/1957
Comment 3 Kabir Khan 2014-12-02 12:57:59 UTC 
This is part of 2.3.24.Final, setting to MODIFIED for DR12 (although it probably came in earlier)
Comment 4 Miroslav Novak 2014-12-03 15:47:00 UTC 
Hi Justin, 

I've tried to connect by standalone JMS client with SSLv3 and client could create connection and send messages to queue. 

Server just logged warning:
16:03:57,088 WARN  [org.hornetq.core.server] (Old I/O server boss ([id: 0x04d786c5, /127.0.0.1:5445])) HQ222190: Disallowing use of vulnerable protocol: SSLv2Hello. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.
16:03:57,088 WARN  [org.hornetq.core.server] (Old I/O server boss ([id: 0x04d786c5, /127.0.0.1:5445])) HQ222190: Disallowing use of vulnerable protocol: SSLv3. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.

Correct behaviour should be that client will not able to create connection.

We checked SSLHandler class in netty 3.6.10 and it does not check enabled protocols. In Netty 4+ which is in HornetQ 2.5 there is check for enabled protocols. 

There is also missing possibility to set "enabled-protocols" parameter for connector. User does not have a way to specify set of protocols to use.

Thanks,
Mirek
Comment 5 Justin Bertram 2014-12-08 15:18:30 UTC 
> I've tried to connect by standalone JMS client with SSLv3 and client could create connection and send messages to queue. 

How did you verify that the client was indeed using SSLv3 and not TLSv1?


> We checked SSLHandler class in netty 3.6.10 and it does not check enabled protocols.

Netty's behavior here shouldn't be an issue.  The enabled protocols are changed on the javax.net.ssl.SSLEngine instance that is passed to the  org.jboss.netty.handler.ssl.SslHandler constructor.  Netty should be using the engine as is and not modifying it (no matter what version of Netty is used).


> There is also missing possibility to set "enabled-protocols" parameter for connector. User does not have a way to specify set of protocols to use.

That's correct.  This feature was added to later versions but not back-ported to 2.3.x because there's been no customer requests for it.
Comment 6 Miroslav Novak 2014-12-11 11:54:08 UTC 
I've created byteman rule which set only "SSLv3" to enabled protocols in JMS client:

RULE "rule to force sslv3"
CLASS org.hornetq.core.remoting.impl.netty.NettyConnector
METHOD start()
AT LINE 473
IF true
DO "engine.setEnabledProtocols(new String[] {\"SSLv3\"});"
ENDRULE


Based on description in this bugzilla, I'd expect that client using SSLv3 protocol won't be able to create connection.
Comment 7 Justin Bertram 2014-12-11 17:11:49 UTC 
What branch/tag are you working from?  I'm trying to verify you're using the right line number in your Byteman rule.
Comment 8 Justin Bertram 2014-12-11 18:41:29 UTC 
I think your Byteman rule just isn't right.  If I manually insert:

  engine.setEnabledProtocols(new String[] {"SSLv3"});

at the proper point and run a test then the client is unable to connect.

The same basic test exists on the HornetQ master branch in org.hornetq.tests.integration.ssl.CoreClientOverOneWaySSLTest.testPOODLE, but that test uses the client's ability to set the enabled protocols on the transport.
Comment 9 Justin Bertram 2014-12-11 19:08:21 UTC 
I just sent https://github.com/hornetq/hornetq/pull/1973 with a Byteman test that does the job.
Comment 10 Miroslav Novak 2014-12-15 10:03:46 UTC 
You're right, byteman rule was not right. When I tried to add:

engine.setEnabledProtocols(new String[] {"SSLv3"});

to NettyConnector.java then I can see that client cannot connect.

I'm setting bz as verified.