[jira] [Updated] (THRIFT-3165) Improve SSL Security in thrift by requiring TLS v1.2 by default

Tue, 19 May 2015 14:08:16 -0700 

     [ 
https://issues.apache.org/jira/browse/THRIFT-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James E. King, III updated THRIFT-3165:
---------------------------------------
    Component/s: Smalltalk - Library
                 Ruby - Library
                 Python - Library
                 PHP - Library
                 Perl - Library
                 OCaml - Library
                 Node.js - Library
                 Lua - Library
                 JavaScript - Library
                 JavaME - Library
                 Java - Library
                 Haxe - Library
                 Haskell - Library
                 Go - Library
                 Erlang - Library
                 Delphi - Library
                 D - Library
                 Cocoa - Library
                 C++ - Library
                 C# - Library
                 C glib - Library
                 AS3 - Library

> Improve SSL Security in thrift by requiring TLS v1.2 by default
> ---------------------------------------------------------------
>
>                 Key: THRIFT-3165
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3165
>             Project: Thrift
>          Issue Type: Improvement
>          Components: AS3 - Library, C glib - Library, C# - Library, C++ - 
> Library, Cocoa - Library, D - Library, Delphi - Library, Erlang - Library, Go 
> - Library, Haskell - Library, Haxe - Library, Java - Library, JavaME - 
> Library, JavaScript - Library, Lua - Library, Node.js - Library, OCaml - 
> Library, Perl - Library, PHP - Library, Python - Library, Ruby - Library, 
> Smalltalk - Library
>    Affects Versions: 0.9.2
>            Reporter: James E. King, III
>              Labels: SSL, SSLSocketFactory, Security, TLS
>
> Thrift provides an SSL implementation and as such we need to ensure that 
> thrift as a distribution is not the source of a security risk.  Currently 
> there is no uniformity across the library implementations to require a 
> certain level of security for SSL communications.
> It is therefore proposed that the Thrift project require all SSL 
> implementations shipping with the distribution to require TLS 1.2 or later as 
> the accepted ciphers for a server socket.  TLS 1.2 was defined in RFC 5246 in 
> August of 2008.
> By shipping thrift with anything less, the finger can potentially be pointed 
> back at thrift as a project for not providing the proper security.  By 
> setting the bar as high as possible on components in the package, the third 
> party using Thrift must make a conscious decision to add other ciphers that 
> are not as strong as TLS 1.2.  Since the third party is making this decision, 
> they are fully accepting the consequences of their action.
> Given this affects all SSL implementations, it could be done in one commit or 
> in multiple commits; if the work is to be split up then it should be done 
> with subtasks in Jira.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to