root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Remove POODLE check, we are in the future

This commit is contained in:
Iliia Khaprov 2023-11-01 10:53:27 +01:00
parent 728dd57ffc
commit c577e04b73
5 changed files with 8 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
deps/rabbit/src/rabbit_networking.erl vendored
View File

@ -39,7 +39,7 @@
%% Used by TCP-based transports, e.g. STOMP adapter %% Used by TCP-based transports, e.g. STOMP adapter
-export([tcp_listener_addresses/1, -export([tcp_listener_addresses/1,
tcp_listener_spec/9, tcp_listener_spec/10, tcp_listener_spec/11, tcp_listener_spec/9, tcp_listener_spec/10, tcp_listener_spec/11,
ensure_ssl/0, fix_ssl_options/1, poodle_check/1]). ensure_ssl/0, fix_ssl_options/1]).
-export([tcp_listener_started/4, tcp_listener_stopped/4]). -export([tcp_listener_started/4, tcp_listener_stopped/4]).
@ -127,12 +127,7 @@ boot_tls(NumAcceptors, ConcurrentConnsSupsCount) ->
ok; ok;
{ok, SslListeners} -> {ok, SslListeners} ->
SslOpts = ensure_ssl(), SslOpts = ensure_ssl(),
case poodle_check('AMQP') of [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount) || L <- SslListeners],
ok -> _ = [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount)
|| L <- SslListeners],
ok;
danger -> ok
end,
ok ok
end. end.
@ -144,33 +139,6 @@ ensure_ssl() ->
{ok, SslOptsConfig0} = application:get_env(rabbit, ssl_options), {ok, SslOptsConfig0} = application:get_env(rabbit, ssl_options),
rabbit_ssl_options:fix(SslOptsConfig0). rabbit_ssl_options:fix(SslOptsConfig0).
-spec poodle_check(atom()) -> 'ok' | 'danger'.
poodle_check(Context) ->
{ok, Vsn} = application:get_key(ssl, vsn),
case rabbit_misc:version_compare(Vsn, "5.3", gte) of %% R16B01
true -> ok;
false -> case application:get_env(rabbit, ssl_allow_poodle_attack) of
{ok, true} -> ok;
_ -> log_poodle_fail(Context),
danger
end
end.
log_poodle_fail(Context) ->
rabbit_log:error(
"The installed version of Erlang (~ts) contains the bug OTP-10905,~n"
"which makes it impossible to disable SSLv3. This makes the system~n"
"vulnerable to the POODLE attack. SSL listeners for ~ts have therefore~n"
"been disabled.~n~n"
"You are advised to upgrade to a recent Erlang version; R16B01 is the~n"
"first version in which this bug is fixed, but later is usually~n"
"better.~n~n"
"If you cannot upgrade now and want to re-enable SSL listeners, you can~n"
"set the config item 'ssl_allow_poodle_attack' to 'true' in the~n"
"'rabbit' section of your configuration file.",
[rabbit_misc:otp_release(), Context]).
fix_ssl_options(Config) -> fix_ssl_options(Config) ->
rabbit_ssl_options:fix(Config). rabbit_ssl_options:fix(Config).

5
deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl vendored
View File

@ -28,10 +28,7 @@ init([{Listeners, SslListeners0}]) ->
[] -> {none, 0, []}; [] -> {none, 0, []};
_ -> {rabbit_networking:ensure_ssl(), _ -> {rabbit_networking:ensure_ssl(),
application:get_env(?APP_NAME, num_ssl_acceptors, 10), application:get_env(?APP_NAME, num_ssl_acceptors, 10),
case rabbit_networking:poodle_check('MQTT') of SslListeners0}
ok -> SslListeners0;
danger -> []
end}
end, end,
%% Use separate process group scope per RabbitMQ node. This achieves a local-only %% Use separate process group scope per RabbitMQ node. This achieves a local-only
%% process group which requires less memory with millions of connections. %% process group which requires less memory with millions of connections.

5
deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl vendored
View File

@ -26,10 +26,7 @@ init([{Listeners, SslListeners0}, Configuration]) ->
[] -> {none, 0, []}; [] -> {none, 0, []};
_ -> {rabbit_networking:ensure_ssl(), _ -> {rabbit_networking:ensure_ssl(),
application:get_env(rabbitmq_stomp, num_ssl_acceptors, 10), application:get_env(rabbitmq_stomp, num_ssl_acceptors, 10),
case rabbit_networking:poodle_check('STOMP') of SslListeners0}
ok -> SslListeners0;
danger -> []
end}
end, end,
Flags = #{ Flags = #{
strategy => one_for_all, strategy => one_for_all,

7
deps/rabbitmq_stream/src/rabbit_stream_sup.erl vendored
View File

@ -44,12 +44,7 @@ init([]) ->
_ -> _ ->
{rabbit_networking:ensure_ssl(), {rabbit_networking:ensure_ssl(),
application:get_env(rabbitmq_stream, num_ssl_acceptors, 10), application:get_env(rabbitmq_stream, num_ssl_acceptors, 10),
case rabbit_networking:poodle_check('STREAM') of SslListeners0}
ok ->
SslListeners0;
danger ->
[]
end}
end, end,
Nodes = rabbit_nodes:list_members(), Nodes = rabbit_nodes:list_members(),

5
deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl vendored
View File

@ -71,13 +71,10 @@ init([]) ->
preprocess_config(Options) -> preprocess_config(Options) ->
case proplists:get_value(ssl, Options) of case proplists:get_value(ssl, Options) of
true -> _ = rabbit_networking:ensure_ssl(), true -> _ = rabbit_networking:ensure_ssl(),
case rabbit_networking:poodle_check('HTTP') of case proplists:get_value(ssl_opts, Options) of
ok -> case proplists:get_value(ssl_opts, Options) of
undefined -> auto_ssl(Options); undefined -> auto_ssl(Options);
_ -> fix_ssl(Options) _ -> fix_ssl(Options)
end; end;
danger -> {ranch_tcp, transport_config(Options), protocol_config(Options)}
end;
_ -> {ranch_tcp, transport_config(Options), protocol_config(Options)} _ -> {ranch_tcp, transport_config(Options), protocol_config(Options)}
end. end.