Remove POODLE check, we are in the future

2023-11-01 10:53:27 +01:00 · 2023-11-01 10:53:27 +01:00 · c577e04b73
parent 728dd57ffc
commit c577e04b73
5 changed files with 8 additions and 54 deletions
--- a/deps/rabbit/src/rabbit_networking.erl
+++ b/deps/rabbit/src/rabbit_networking.erl
@ -39,7 +39,7 @@
 %% Used by TCP-based transports, e.g. STOMP adapter
 -export([tcp_listener_addresses/1,
         tcp_listener_spec/9, tcp_listener_spec/10, tcp_listener_spec/11,
-         ensure_ssl/0, fix_ssl_options/1, poodle_check/1]).
+         ensure_ssl/0, fix_ssl_options/1]).

 -export([tcp_listener_started/4, tcp_listener_stopped/4]).

@ -127,12 +127,7 @@ boot_tls(NumAcceptors, ConcurrentConnsSupsCount) ->
            ok;
        {ok, SslListeners} ->
            SslOpts = ensure_ssl(),
-            case poodle_check('AMQP') of
-                ok     -> _ = [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount)
-                           || L <- SslListeners],
-                          ok;
-                danger -> ok
-            end,
+            [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount) || L <- SslListeners],
            ok
    end.

@ -144,33 +139,6 @@ ensure_ssl() ->
    {ok, SslOptsConfig0} = application:get_env(rabbit, ssl_options),
    rabbit_ssl_options:fix(SslOptsConfig0).

-spec poodle_check(atom()) -> 'ok' | 'danger'.
-
-poodle_check(Context) ->
-    {ok, Vsn} = application:get_key(ssl, vsn),
-    case rabbit_misc:version_compare(Vsn, "5.3", gte) of %% R16B01
-        true  -> ok;
-        false -> case application:get_env(rabbit, ssl_allow_poodle_attack) of
-                     {ok, true}  -> ok;
-                     _           -> log_poodle_fail(Context),
-                                    danger
-                 end
-    end.
-
-log_poodle_fail(Context) ->
-    rabbit_log:error(
-      "The installed version of Erlang (~ts) contains the bug OTP-10905,~n"
-      "which makes it impossible to disable SSLv3. This makes the system~n"
-      "vulnerable to the POODLE attack. SSL listeners for ~ts have therefore~n"
-      "been disabled.~n~n"
-      "You are advised to upgrade to a recent Erlang version; R16B01 is the~n"
-      "first version in which this bug is fixed, but later is usually~n"
-      "better.~n~n"
-      "If you cannot upgrade now and want to re-enable SSL listeners, you can~n"
-      "set the config item 'ssl_allow_poodle_attack' to 'true' in the~n"
-      "'rabbit' section of your configuration file.",
-      [rabbit_misc:otp_release(), Context]).
-
 fix_ssl_options(Config) ->
    rabbit_ssl_options:fix(Config).

--- a/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl
+++ b/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl
@ -28,10 +28,7 @@ init([{Listeners, SslListeners0}]) ->
              [] -> {none, 0, []};
              _  -> {rabbit_networking:ensure_ssl(),
                     application:get_env(?APP_NAME, num_ssl_acceptors, 10),
-                     case rabbit_networking:poodle_check('MQTT') of
-                         ok     -> SslListeners0;
-                         danger -> []
-                     end}
+                     SslListeners0}
          end,
    %% Use separate process group scope per RabbitMQ node. This achieves a local-only
    %% process group which requires less memory with millions of connections.
--- a/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl
+++ b/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl
@ -26,10 +26,7 @@ init([{Listeners, SslListeners0}, Configuration]) ->
              [] -> {none, 0, []};
              _  -> {rabbit_networking:ensure_ssl(),
                     application:get_env(rabbitmq_stomp, num_ssl_acceptors, 10),
-                     case rabbit_networking:poodle_check('STOMP') of
-                         ok     -> SslListeners0;
-                         danger -> []
-                     end}
+                     SslListeners0}
          end,
    Flags = #{
        strategy => one_for_all,
--- a/deps/rabbitmq_stream/src/rabbit_stream_sup.erl
+++ b/deps/rabbitmq_stream/src/rabbit_stream_sup.erl
@ -44,12 +44,7 @@ init([]) ->
            _ ->
                {rabbit_networking:ensure_ssl(),
                 application:get_env(rabbitmq_stream, num_ssl_acceptors, 10),
-                 case rabbit_networking:poodle_check('STREAM') of
-                     ok ->
-                         SslListeners0;
-                     danger ->
-                         []
-                 end}
+                 SslListeners0}
        end,

    Nodes = rabbit_nodes:list_members(),
--- a/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl
+++ b/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl
@ -71,12 +71,9 @@ init([]) ->
 preprocess_config(Options) ->
    case proplists:get_value(ssl, Options) of
        true -> _ = rabbit_networking:ensure_ssl(),
-                case rabbit_networking:poodle_check('HTTP') of
-                    ok     -> case proplists:get_value(ssl_opts, Options) of
-                                  undefined -> auto_ssl(Options);
-                                  _         -> fix_ssl(Options)
-                              end;
-                    danger -> {ranch_tcp, transport_config(Options), protocol_config(Options)}
+                case proplists:get_value(ssl_opts, Options) of
+                    undefined -> auto_ssl(Options);
+                    _         -> fix_ssl(Options)
                end;
        _    -> {ranch_tcp, transport_config(Options), protocol_config(Options)}
    end.