Merge bug26419

2 files changed, 50 insertions, 2 deletions

diff --git a/ebin/rabbit_app.in b/ebin/rabbit_app.in
index 888e4dba..9e5584a1 100644
--- a/ebin/rabbit_app.in
+++ b/ebin/rabbit_app.in
@@ -47,6 +47,7 @@
          {log_levels, [{connection, info}]},
          {ssl_cert_login_from, distinguished_name},
          {ssl_handshake_timeout, 5000},
+         {ssl_allow_poodle_attack, false},
          {handshake_timeout, 10000},
          {reverse_dns_lookups, false},
          {cluster_partition_handling, ignore},
diff --git a/src/rabbit_networking.erl b/src/rabbit_networking.erl
index 4e92bf39..e65fa1d0 100644
--- a/src/rabbit_networking.erl
+++ b/src/rabbit_networking.erl
@@ -26,7 +26,7 @@
 
 %%used by TCP-based transports, e.g. STOMP adapter
 -export([tcp_listener_addresses/1, tcp_listener_spec/6,
-         ensure_ssl/0, ssl_transform_fun/1]).
+         ensure_ssl/0, fix_ssl_options/1, poodle_check/1, ssl_transform_fun/1]).
 
 -export([tcp_listener_started/3, tcp_listener_stopped/3,
          start_client/1, start_ssl_client/2]).
@@ -34,11 +34,16 @@
 %% Internal
 -export([connections_local/0]).
 
+-import(rabbit_misc, [pget/2, pget/3, pset/3]).
+
 -include("rabbit.hrl").
 -include_lib("kernel/include/inet.hrl").
 
 -define(FIRST_TEST_BIND_PORT, 10000).
 
+%% POODLE
+-define(BAD_SSL_PROTOCOL_VERSIONS, [sslv3]).
+
 %%----------------------------------------------------------------------------
 
 -ifdef(use_specs).
@@ -86,6 +91,8 @@
         (name_prefix(), address(), [gen_tcp:listen_option()], protocol(),
          label(), rabbit_types:mfargs()) -> supervisor:child_spec()).
 -spec(ensure_ssl/0 :: () -> rabbit_types:infos()).
+-spec(fix_ssl_options/1 :: (rabbit_types:infos()) -> rabbit_types:infos()).
+-spec(poodle_check/1 :: (atom()) -> 'ok' | 'danger').
 -spec(ssl_transform_fun/1 ::
         (rabbit_types:infos())
         -> fun ((rabbit_net:socket())
@@ -134,7 +141,10 @@ boot_ssl() ->
             ok;
         {ok, SslListeners} ->
             SslOpts = ensure_ssl(),
-            [start_ssl_listener(Listener, SslOpts) || Listener <- SslListeners],
+            case poodle_check('AMQP') of
+                ok     -> [start_ssl_listener(L, SslOpts) || L <- SslListeners];
+                danger -> ok
+            end,
             ok
     end.
 
@@ -147,7 +157,37 @@ ensure_ssl() ->
     {ok, SslAppsConfig} = application:get_env(rabbit, ssl_apps),
     ok = app_utils:start_applications(SslAppsConfig),
     {ok, SslOptsConfig} = application:get_env(rabbit, ssl_options),
+    fix_ssl_options(SslOptsConfig).
+
+poodle_check(Context) ->
+    {ok, Vsn} = application:get_key(ssl, vsn),
+    case rabbit_misc:version_compare(Vsn, "5.3", gte) of %% R16B01
+        true  -> ok;
+        false -> case application:get_env(rabbit, ssl_allow_poodle_attack) of
+                     {ok, true}  -> ok;
+                     {ok, false} -> log_poodle_fail(Context),
+                                    danger
+                 end
+    end.
 
+log_poodle_fail(Context) ->
+    rabbit_log:error(
+      "The installed version of Erlang (~s) contains the bug OTP-10905,~n"
+      "which makes it impossible to disable SSLv3. This makes the system~n"
+      "vulnerable to the POODLE attack. SSL listeners for ~s have therefore~n"
+      "been disabled.~n~n"
+      "You are advised to upgrade to a recent Erlang version; R16B01 is the~n"
+      "first version in which this bug is fixed, but later is usually~n"
+      "better.~n~n"
+      "If you cannot upgrade now and want to re-enable SSL listeners, you can~n"
+      "set the config item 'ssl_allow_poodle_attack' to 'true' in the~n"
+      "'rabbit' section of your configuration file.~n",
+      [rabbit_misc:otp_release(), Context]).
+
+fix_ssl_options(Config) ->
+    fix_verify_fun(fix_ssl_protocol_versions(Config)).
+
+fix_verify_fun(SslOptsConfig) ->
     case rabbit_misc:pget(verify_fun, SslOptsConfig) of
         {Module, Function} ->
             rabbit_misc:pset(verify_fun,
@@ -166,6 +206,13 @@ ensure_ssl() ->
             end
     end.
 
+fix_ssl_protocol_versions(Config) ->
+    Configured = case pget(versions, Config) of
+                     undefined -> pget(available, ssl:versions(), []);
+                     Vs        -> Vs
+                 end,
+    pset(versions, Configured -- ?BAD_SSL_PROTOCOL_VERSIONS, Config).
+
 ssl_timeout() ->
     {ok, Val} = application:get_env(rabbit, ssl_handshake_timeout),
     Val.