[
https://issues.apache.org/jira/browse/THRIFT-3164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King, III updated THRIFT-3164:
---------------------------------------
Description:
The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is
ancient and has a serious security flaw:
http://disablessl3.com/
Recommend changing the default/minimum in Thrift to TLSv1. Add a test to prove
SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all
connect.
THRIFT-3165 takes the recommendation a step further and suggests the default
should be TLS v1.2 or later, and the third party using Thrift can decide if
they want to allow less-secure ciphers.
was:
The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is
ancient and has a serious security flaw:
http://disablessl3.com/
Recommend changing the default/minimum in Thrift to TLSv1. Add a test to prove
SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all
connect.
> Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation
> ------------------------------------------------------------------------------
>
> Key: THRIFT-3164
> URL: https://issues.apache.org/jira/browse/THRIFT-3164
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Affects Versions: 0.8, 0.9, 0.9.1, 0.9.2
> Reporter: James E. King, III
> Priority: Critical
> Labels: SSL, SSLSocketFactory, Security
>
> The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is
> ancient and has a serious security flaw:
> http://disablessl3.com/
> Recommend changing the default/minimum in Thrift to TLSv1. Add a test to
> prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2
> can all connect.
> THRIFT-3165 takes the recommendation a step further and suggests the default
> should be TLS v1.2 or later, and the third party using Thrift can decide if
> they want to allow less-secure ciphers.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
