[
https://issues.apache.org/jira/browse/THRIFT-3164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King, III updated THRIFT-3164:
---------------------------------------
Description:
The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is
ancient and has a serious security flaw:
http://disablessl3.com/
Currently the project uses the following default (in TSSLSocket.h):
{noformat}
/**
* Constructor/Destructor
*
* @param protocol The SSL/TLS protocol to use.
*/
TSSLSocketFactory(const SSLProtocol& protocol = SSLTLS);
{noformat}
also (same file:
{noformat}
/**
* Wrap OpenSSL SSL_CTX into a class.
*/
class SSLContext {
public:
SSLContext(const SSLProtocol& protocol = SSLTLS);
{noformat}
This enumeration maps to:
{noformat}
enum SSLProtocol {
SSLTLS = 0, // Supports SSLv3 and TLSv1.
// SSLv2 = 1, // HORRIBLY INSECURE!
SSLv3 = 2, // Supports SSLv3 only.
TLSv1_0 = 3, // Supports TLSv1_0 only.
TLSv1_1 = 4, // Supports TLSv1_1 only.
TLSv1_2 = 5 // Supports TLSv1_2 only.
};
{noformat}
Recommend changing the default/minimum in Thrift to TLSv1. Add a test to prove
SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all
connect.
THRIFT-3165 takes the recommendation a step further and suggests the default
should be TLS v1.2 or later, and the third party using Thrift can decide if
they want to allow less-secure ciphers.
was:
The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is
ancient and has a serious security flaw:
http://disablessl3.com/
Recommend changing the default/minimum in Thrift to TLSv1. Add a test to prove
SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all
connect.
THRIFT-3165 takes the recommendation a step further and suggests the default
should be TLS v1.2 or later, and the third party using Thrift can decide if
they want to allow less-secure ciphers.
> Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation
> ------------------------------------------------------------------------------
>
> Key: THRIFT-3164
> URL: https://issues.apache.org/jira/browse/THRIFT-3164
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Affects Versions: 0.8, 0.9, 0.9.1, 0.9.2
> Reporter: James E. King, III
> Priority: Critical
> Labels: SSL, SSLSocketFactory, Security
>
> The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is
> ancient and has a serious security flaw:
> http://disablessl3.com/
> Currently the project uses the following default (in TSSLSocket.h):
> {noformat}
> /**
> * Constructor/Destructor
> *
> * @param protocol The SSL/TLS protocol to use.
> */
> TSSLSocketFactory(const SSLProtocol& protocol = SSLTLS);
> {noformat}
> also (same file:
> {noformat}
> /**
> * Wrap OpenSSL SSL_CTX into a class.
> */
> class SSLContext {
> public:
> SSLContext(const SSLProtocol& protocol = SSLTLS);
> {noformat}
> This enumeration maps to:
> {noformat}
> enum SSLProtocol {
> SSLTLS = 0, // Supports SSLv3 and TLSv1.
> // SSLv2 = 1, // HORRIBLY INSECURE!
> SSLv3 = 2, // Supports SSLv3 only.
> TLSv1_0 = 3, // Supports TLSv1_0 only.
> TLSv1_1 = 4, // Supports TLSv1_1 only.
> TLSv1_2 = 5 // Supports TLSv1_2 only.
> };
> {noformat}
> Recommend changing the default/minimum in Thrift to TLSv1. Add a test to
> prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2
> can all connect.
> THRIFT-3165 takes the recommendation a step further and suggests the default
> should be TLS v1.2 or later, and the third party using Thrift can decide if
> they want to allow less-secure ciphers.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
