From c577e04b73f22f78f788fb73c35b9ab6524b548b Mon Sep 17 00:00:00 2001 From: Iliia Khaprov Date: Wed, 1 Nov 2023 10:53:27 +0100 Subject: [PATCH] Remove POODLE check, we are in the future --- deps/rabbit/src/rabbit_networking.erl | 36 ++----------------- deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl | 5 +-- deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl | 5 +-- .../rabbitmq_stream/src/rabbit_stream_sup.erl | 7 +--- .../src/rabbit_web_dispatch_sup.erl | 9 ++--- 5 files changed, 8 insertions(+), 54 deletions(-) diff --git a/deps/rabbit/src/rabbit_networking.erl b/deps/rabbit/src/rabbit_networking.erl index 6f702fe25c..920ac3a069 100644 --- a/deps/rabbit/src/rabbit_networking.erl +++ b/deps/rabbit/src/rabbit_networking.erl @@ -39,7 +39,7 @@ %% Used by TCP-based transports, e.g. STOMP adapter -export([tcp_listener_addresses/1, tcp_listener_spec/9, tcp_listener_spec/10, tcp_listener_spec/11, - ensure_ssl/0, fix_ssl_options/1, poodle_check/1]). + ensure_ssl/0, fix_ssl_options/1]). -export([tcp_listener_started/4, tcp_listener_stopped/4]). @@ -127,12 +127,7 @@ boot_tls(NumAcceptors, ConcurrentConnsSupsCount) -> ok; {ok, SslListeners} -> SslOpts = ensure_ssl(), - case poodle_check('AMQP') of - ok -> _ = [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount) - || L <- SslListeners], - ok; - danger -> ok - end, + [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount) || L <- SslListeners], ok end. @@ -144,33 +139,6 @@ ensure_ssl() -> {ok, SslOptsConfig0} = application:get_env(rabbit, ssl_options), rabbit_ssl_options:fix(SslOptsConfig0). --spec poodle_check(atom()) -> 'ok' | 'danger'. - -poodle_check(Context) -> - {ok, Vsn} = application:get_key(ssl, vsn), - case rabbit_misc:version_compare(Vsn, "5.3", gte) of %% R16B01 - true -> ok; - false -> case application:get_env(rabbit, ssl_allow_poodle_attack) of - {ok, true} -> ok; - _ -> log_poodle_fail(Context), - danger - end - end. - -log_poodle_fail(Context) -> - rabbit_log:error( - "The installed version of Erlang (~ts) contains the bug OTP-10905,~n" - "which makes it impossible to disable SSLv3. This makes the system~n" - "vulnerable to the POODLE attack. SSL listeners for ~ts have therefore~n" - "been disabled.~n~n" - "You are advised to upgrade to a recent Erlang version; R16B01 is the~n" - "first version in which this bug is fixed, but later is usually~n" - "better.~n~n" - "If you cannot upgrade now and want to re-enable SSL listeners, you can~n" - "set the config item 'ssl_allow_poodle_attack' to 'true' in the~n" - "'rabbit' section of your configuration file.", - [rabbit_misc:otp_release(), Context]). - fix_ssl_options(Config) -> rabbit_ssl_options:fix(Config). diff --git a/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl b/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl index 8c983c396d..a6dd2776a1 100644 --- a/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl +++ b/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl @@ -28,10 +28,7 @@ init([{Listeners, SslListeners0}]) -> [] -> {none, 0, []}; _ -> {rabbit_networking:ensure_ssl(), application:get_env(?APP_NAME, num_ssl_acceptors, 10), - case rabbit_networking:poodle_check('MQTT') of - ok -> SslListeners0; - danger -> [] - end} + SslListeners0} end, %% Use separate process group scope per RabbitMQ node. This achieves a local-only %% process group which requires less memory with millions of connections. diff --git a/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl b/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl index ad016664c4..05902ea0b8 100644 --- a/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl +++ b/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl @@ -26,10 +26,7 @@ init([{Listeners, SslListeners0}, Configuration]) -> [] -> {none, 0, []}; _ -> {rabbit_networking:ensure_ssl(), application:get_env(rabbitmq_stomp, num_ssl_acceptors, 10), - case rabbit_networking:poodle_check('STOMP') of - ok -> SslListeners0; - danger -> [] - end} + SslListeners0} end, Flags = #{ strategy => one_for_all, diff --git a/deps/rabbitmq_stream/src/rabbit_stream_sup.erl b/deps/rabbitmq_stream/src/rabbit_stream_sup.erl index ff917a6fa8..d037371143 100644 --- a/deps/rabbitmq_stream/src/rabbit_stream_sup.erl +++ b/deps/rabbitmq_stream/src/rabbit_stream_sup.erl @@ -44,12 +44,7 @@ init([]) -> _ -> {rabbit_networking:ensure_ssl(), application:get_env(rabbitmq_stream, num_ssl_acceptors, 10), - case rabbit_networking:poodle_check('STREAM') of - ok -> - SslListeners0; - danger -> - [] - end} + SslListeners0} end, Nodes = rabbit_nodes:list_members(), diff --git a/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl b/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl index 7a072a0aa0..868fc0c9df 100644 --- a/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl +++ b/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl @@ -71,12 +71,9 @@ init([]) -> preprocess_config(Options) -> case proplists:get_value(ssl, Options) of true -> _ = rabbit_networking:ensure_ssl(), - case rabbit_networking:poodle_check('HTTP') of - ok -> case proplists:get_value(ssl_opts, Options) of - undefined -> auto_ssl(Options); - _ -> fix_ssl(Options) - end; - danger -> {ranch_tcp, transport_config(Options), protocol_config(Options)} + case proplists:get_value(ssl_opts, Options) of + undefined -> auto_ssl(Options); + _ -> fix_ssl(Options) end; _ -> {ranch_tcp, transport_config(Options), protocol_config(Options)} end.