[jira] [Created] (THRIFT-3164) Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation

James E. King, III (JIRA) Mon, 18 May 2015 21:36:19 -0700

James E. King, III created THRIFT-3164:
------------------------------------------


             Summary: Thrift C++ library SSL socket by default allows for 
unsecure SSLv3 negotiation
                 Key: THRIFT-3164
                 URL: https://issues.apache.org/jira/browse/THRIFT-3164
             Project: Thrift
          Issue Type: Bug
          Components: C++ - Library
    Affects Versions: 0.9.2, 0.9.1, 0.9, 0.8
            Reporter: James E. King, III
            Priority: Critical


The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake.  SSLv3 is 
ancient and has a serious security flaw:
http://disablessl3.com/

Recommend changing the default/minimum in Thrift to TLSv1.  Add a test to prove 
SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all 
connect.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (THRIFT-3164) Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation

Reply via email to