[
https://issues.apache.org/jira/browse/QPID-6490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16141794#comment-16141794
]
Walter Rowe commented on QPID-6490:
-----------------------------------
It appears that src/qpid/sys/ssl/util.cpp defines what options and what SSL
protocols / ciphers are accepted.
https://github.com/apache/qpid-cpp/blob/f91a23c59e18fcdc1560687e14813346468fec3d/src/qpid/sys/ssl/util.cpp
See lines 111+.
// disable SSLv2 and SSLv3 versions of the protocol - they are no longer
considered secure
We need config file options to specify protocols and ciphers like apache
provides.
> Configure SSL ciphers
> ---------------------
>
> Key: QPID-6490
> URL: https://issues.apache.org/jira/browse/QPID-6490
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.30
> Environment: Linux
> Reporter: Brant Knudson
> Labels: security
>
> qpid-cpp must allow an admin to set the SSL ciphers / protocols that they
> want the server to allow. The default should be ciphers / protocols that
> don't have known security vulnerabilities like SSLv3 (POODLE) and RC4 ciphers
> (Bar Mitzvah)
> With CVE-2015-2808 (a.k.a. Bar Mitzvah affecting RC4 ciphers) and other
> recent vulnerabilities found in different ciphers / protocols, we need to be
> able to disable ciphers / protocols easily.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
