Merge pull request #9843 from rabbitmq/ik-remove-poodle-check

michaelklishin · web-flow · commit eef94c7ddef7 · 2023-11-01T09:36:48.000-04:00
Remove POODLE check
diff --git a/deps/rabbit/src/rabbit_networking.erl b/deps/rabbit/src/rabbit_networking.erl
@@ -39,7 +39,7 @@
 %% Used by TCP-based transports, e.g. STOMP adapter
 -export([tcp_listener_addresses/1,
          tcp_listener_spec/9, tcp_listener_spec/10, tcp_listener_spec/11,
-         ensure_ssl/0, fix_ssl_options/1, poodle_check/1]).
+         ensure_ssl/0, fix_ssl_options/1]).
 
 -export([tcp_listener_started/4, tcp_listener_stopped/4]).
 
@@ -127,12 +127,7 @@ boot_tls(NumAcceptors, ConcurrentConnsSupsCount) ->
             ok;
         {ok, SslListeners} ->
             SslOpts = ensure_ssl(),
-            case poodle_check('AMQP') of
-                ok     -> _ = [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount)
-                           || L <- SslListeners],
-                          ok;
-                danger -> ok
-            end,
+            _ = [start_ssl_listener(L, SslOpts, NumAcceptors, ConcurrentConnsSupsCount) || L <- SslListeners],
             ok
     end.
 
@@ -144,33 +139,6 @@ ensure_ssl() ->
     {ok, SslOptsConfig0} = application:get_env(rabbit, ssl_options),
     rabbit_ssl_options:fix(SslOptsConfig0).
 
--spec poodle_check(atom()) -> 'ok' | 'danger'.
-
-poodle_check(Context) ->
-    {ok, Vsn} = application:get_key(ssl, vsn),
-    case rabbit_misc:version_compare(Vsn, "5.3", gte) of %% R16B01
-        true  -> ok;
-        false -> case application:get_env(rabbit, ssl_allow_poodle_attack) of
-                     {ok, true}  -> ok;
-                     _           -> log_poodle_fail(Context),
-                                    danger
-                 end
-    end.
-
-log_poodle_fail(Context) ->
-    rabbit_log:error(
-      "The installed version of Erlang (~ts) contains the bug OTP-10905,~n"
-      "which makes it impossible to disable SSLv3. This makes the system~n"
-      "vulnerable to the POODLE attack. SSL listeners for ~ts have therefore~n"
-      "been disabled.~n~n"
-      "You are advised to upgrade to a recent Erlang version; R16B01 is the~n"
-      "first version in which this bug is fixed, but later is usually~n"
-      "better.~n~n"
-      "If you cannot upgrade now and want to re-enable SSL listeners, you can~n"
-      "set the config item 'ssl_allow_poodle_attack' to 'true' in the~n"
-      "'rabbit' section of your configuration file.",
-      [rabbit_misc:otp_release(), Context]).
-
 fix_ssl_options(Config) ->
     rabbit_ssl_options:fix(Config).
 
diff --git a/deps/rabbit_common/src/rabbit_misc.erl b/deps/rabbit_common/src/rabbit_misc.erl
@@ -1180,12 +1180,9 @@ get_proc_name() ->
             {ok, Name}
     end.
 
-%% application:get_env/3 is only available in R16B01 or later.
+%% application:get_env/3 is available in R16B01 or later.
 get_env(Application, Key, Def) ->
-    case application:get_env(Application, Key) of
-        {ok, Val} -> Val;
-        undefined -> Def
-    end.
+    application:get_env(Application, Key, Def).
 
 get_channel_operation_timeout() ->
     %% Default channel_operation_timeout set to net_ticktime + 10s to
diff --git a/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl b/deps/rabbitmq_mqtt/src/rabbit_mqtt_sup.erl
@@ -28,10 +28,7 @@ init([{Listeners, SslListeners0}]) ->
               [] -> {none, 0, []};
               _  -> {rabbit_networking:ensure_ssl(),
                      application:get_env(?APP_NAME, num_ssl_acceptors, 10),
-                     case rabbit_networking:poodle_check('MQTT') of
-                         ok     -> SslListeners0;
-                         danger -> []
-                     end}
+                     SslListeners0}
           end,
     %% Use separate process group scope per RabbitMQ node. This achieves a local-only
     %% process group which requires less memory with millions of connections.
diff --git a/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl b/deps/rabbitmq_stomp/src/rabbit_stomp_sup.erl
@@ -26,10 +26,7 @@ init([{Listeners, SslListeners0}, Configuration]) ->
               [] -> {none, 0, []};
               _  -> {rabbit_networking:ensure_ssl(),
                      application:get_env(rabbitmq_stomp, num_ssl_acceptors, 10),
-                     case rabbit_networking:poodle_check('STOMP') of
-                         ok     -> SslListeners0;
-                         danger -> []
-                     end}
+                     SslListeners0}
           end,
     Flags = #{
         strategy => one_for_all,
diff --git a/deps/rabbitmq_stream/src/rabbit_stream_sup.erl b/deps/rabbitmq_stream/src/rabbit_stream_sup.erl
@@ -44,12 +44,7 @@ init([]) ->
             _ ->
                 {rabbit_networking:ensure_ssl(),
                  application:get_env(rabbitmq_stream, num_ssl_acceptors, 10),
-                 case rabbit_networking:poodle_check('STREAM') of
-                     ok ->
-                         SslListeners0;
-                     danger ->
-                         []
-                 end}
+                 SslListeners0}
         end,
 
     Nodes = rabbit_nodes:list_members(),
diff --git a/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl b/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_sup.erl
@@ -71,12 +71,9 @@ init([]) ->
 preprocess_config(Options) ->
     case proplists:get_value(ssl, Options) of
         true -> _ = rabbit_networking:ensure_ssl(),
-                case rabbit_networking:poodle_check('HTTP') of
-                    ok     -> case proplists:get_value(ssl_opts, Options) of
-                                  undefined -> auto_ssl(Options);
-                                  _         -> fix_ssl(Options)
-                              end;
-                    danger -> {ranch_tcp, transport_config(Options), protocol_config(Options)}
+                case proplists:get_value(ssl_opts, Options) of
+                    undefined -> auto_ssl(Options);
+                    _         -> fix_ssl(Options)
                 end;
         _    -> {ranch_tcp, transport_config(Options), protocol_config(Options)}
     end.
