[jira] [Commented] (THRIFT-3164) Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation

[Hudson (JIRA)]

    [ 
https://issues.apache.org/jira/browse/THRIFT-3164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14648270#comment-14648270
 ] 

Hudson commented on THRIFT-3164:
--------------------------------

SUCCESS: Integrated in Thrift #1633 (See 
[https://builds.apache.org/job/Thrift/1633/])
THRIFT-3164: disable insecure SSLv3 protocol in cpp lib unless SSLv3 is 
specifically asked for to make the defaults more secure; added a matrix 
security unit test for SSL in the cpp lib (roger: rev 
b0b710a426fedb48ff5d0643ba64e339ee7efa31)
* configure.ac
* lib/cpp/test/SecurityTest.cpp
* lib/cpp/test/Makefile.am
* lib/cpp/src/thrift/transport/TSSLSocket.cpp
* lib/cpp/test/CMakeLists.txt
* .gitignore
* lib/cpp/src/thrift/transport/TSSLSocket.h


> Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation
> ------------------------------------------------------------------------------
>
>                 Key: THRIFT-3164
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3164
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.8, 0.9, 0.9.1, 0.9.2
>            Reporter: James E. King, III
>            Assignee: James E. King, III
>            Priority: Critical
>              Labels: SSL, SSLSocketFactory, Security
>             Fix For: 0.9.3
>
>
> The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake.  SSLv3 is 
> ancient and has a serious security flaw:
> http://disablessl3.com/
> Currently the project uses the following default (in TSSLSocket.h):
> {noformat}
>   /**
>    * Constructor/Destructor
>    *
>    * @param protocol The SSL/TLS protocol to use.
>    */
>   TSSLSocketFactory(const SSLProtocol& protocol = SSLTLS);
> {noformat}
> also (same file:
> {noformat}
> /**
>  * Wrap OpenSSL SSL_CTX into a class.
>  */
> class SSLContext {
> public:
>   SSLContext(const SSLProtocol& protocol = SSLTLS);
> {noformat}
> This enumeration maps to:
> {noformat}
> enum SSLProtocol {
>   SSLTLS = 0, // Supports SSLv3 and TLSv1.
>   // SSLv2            = 1,    // HORRIBLY INSECURE!
>   SSLv3 = 2,   // Supports SSLv3 only.
>   TLSv1_0 = 3, // Supports TLSv1_0 only.
>   TLSv1_1 = 4, // Supports TLSv1_1 only.
>   TLSv1_2 = 5  // Supports TLSv1_2 only.
> };
> {noformat}
> Recommend changing the default/minimum in Thrift to TLSv1.  Add a test to 
> prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 
> can all connect.
> THRIFT-3165 takes the recommendation a step further and suggests the default 
> should be TLS v1.2 or later, and the third party using Thrift can decide if 
> they want to allow less-secure ciphers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)