[
https://issues.apache.org/jira/browse/THRIFT-4084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King, III updated THRIFT-4084:
---------------------------------------
Description:
Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in the
backlog, I want to add a make cross "language" which isn't a language at all,
but a test that checks to see if it is possible to negotiate at various SSL/TLS
protocol versions. This would be a client-only test, likely just a bash script
that leverages the openssl client and command line options to connect to a test
server and see if it handshakes and negotiates protocol successfully.
Without THRIFT-3165 implemented, it will ensure:
* Can handshake using the universal SSLv23 context.
** however cannot negotiate SSLv2 or SSLv3
* Can negotiate TLSv1.0 or later
With THRIFT-3165 it needs to change to ensure:
* Can handshake using TLSv1.2
* Cannot handshake or negotiate with any other version.
was:
Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in the
backlog, I want to add a make cross "language" which isn't a language at all,
but a test that checks to see if it is possible to negotiate at various SSL/TLS
protocol versions. This would be a client-only test, likely just a bash script
that leverages the openssl client and command line options to connect to a test
server and see if it handshakes and negotiates protocol successfully.
Without THRIFT-3165 implemented, it will ensure:
* Can handshake using the universal SSLv23 context.
** however cannot negotiate SSLv2 or SSLv3
* Can negotiate TLSv1.0 or later
> Improve SSL security in thrift by adding a make cross client that checks to
> make sure SSLv2 and SSLv3 protocols cannot be negotiated
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4084
> URL: https://issues.apache.org/jira/browse/THRIFT-4084
> Project: Thrift
> Issue Type: Improvement
> Components: Test Suite
> Affects Versions: 0.10.0
> Environment: Ubuntu Dockerfile
> Reporter: James E. King, III
> Assignee: James E. King, III
> Labels: cross-validation, security, ssl, tls
>
> Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in
> the backlog, I want to add a make cross "language" which isn't a language at
> all, but a test that checks to see if it is possible to negotiate at various
> SSL/TLS protocol versions. This would be a client-only test, likely just a
> bash script that leverages the openssl client and command line options to
> connect to a test server and see if it handshakes and negotiates protocol
> successfully.
> Without THRIFT-3165 implemented, it will ensure:
> * Can handshake using the universal SSLv23 context.
> ** however cannot negotiate SSLv2 or SSLv3
> * Can negotiate TLSv1.0 or later
> With THRIFT-3165 it needs to change to ensure:
> * Can handshake using TLSv1.2
> * Cannot handshake or negotiate with any other version.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
