[
https://issues.apache.org/jira/browse/THRIFT-4084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King, III updated THRIFT-4084:
---------------------------------------
Description:
Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in the
backlog, I want to add a make cross "language" which isn't a language at all,
but a test that checks to see if it is possible to negotiate at various SSL/TLS
protocol versions. This would be a client-only test, likely just a bash script
that leverages the openssl client and command line options to connect to a test
server and see if it handshakes and negotiates protocol successfully.
Without THRIFT-3165 implemented, it will ensure:
* Can handshake using the universal SSLv23 context, however cannot negotiate
SSLv3
* Can negotiate TLSv1.0, TLSv1.1, and TLSv1.2
With THRIFT-3165 it needs to change to ensure:
* Can handshake using TLSv1.2 but not any other version
The solution I came up with was to add a new client called "secure" to make
crosstest. test_secure is a simple bash script that checks the appropriate
rules above (the ones without THRIFT-3165, since it is not done), and I added
"secure" to the list of cross test "languages" in the top level configure
script.
After code review, it was moved into crossfeature and split into two parts -
one called "nosslv3" checks to make sure the server is not negotiating sslv3.
The other called "tls" checks ot make sure the server will negotiate at least
one of TLSv1.0, TLSv1.1 or TLSv1.2.
was:
Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in the
backlog, I want to add a make cross "language" which isn't a language at all,
but a test that checks to see if it is possible to negotiate at various SSL/TLS
protocol versions. This would be a client-only test, likely just a bash script
that leverages the openssl client and command line options to connect to a test
server and see if it handshakes and negotiates protocol successfully.
Without THRIFT-3165 implemented, it will ensure:
* Can handshake using the universal SSLv23 context, however cannot negotiate
SSLv3
* Can negotiate TLSv1.0, TLSv1.1, and TLSv1.2
With THRIFT-3165 it needs to change to ensure:
* Can handshake using TLSv1.2 but not any other version
The solution I came up with was to add a new client called "secure" to make
crosstest. test_secure is a simple bash script that checks the appropriate
rules above (the ones without THRIFT-3165, since it is not done), and I added
"secure" to the list of cross test "languages" in the top level configure
script.
> Improve SSL security in thrift by adding a make cross client that checks to
> make sure SSLv3 protocol cannot be negotiated
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4084
> URL: https://issues.apache.org/jira/browse/THRIFT-4084
> Project: Thrift
> Issue Type: Improvement
> Components: Test Suite
> Affects Versions: 0.10.0
> Environment: Ubuntu Dockerfile
> Reporter: James E. King, III
> Assignee: James E. King, III
> Labels: cross-validation, security, ssl, tls
> Fix For: 0.11.0
>
>
> Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in
> the backlog, I want to add a make cross "language" which isn't a language at
> all, but a test that checks to see if it is possible to negotiate at various
> SSL/TLS protocol versions. This would be a client-only test, likely just a
> bash script that leverages the openssl client and command line options to
> connect to a test server and see if it handshakes and negotiates protocol
> successfully.
> Without THRIFT-3165 implemented, it will ensure:
> * Can handshake using the universal SSLv23 context, however cannot negotiate
> SSLv3
> * Can negotiate TLSv1.0, TLSv1.1, and TLSv1.2
> With THRIFT-3165 it needs to change to ensure:
> * Can handshake using TLSv1.2 but not any other version
> The solution I came up with was to add a new client called "secure" to make
> crosstest. test_secure is a simple bash script that checks the appropriate
> rules above (the ones without THRIFT-3165, since it is not done), and I added
> "secure" to the list of cross test "languages" in the top level configure
> script.
> After code review, it was moved into crossfeature and split into two parts -
> one called "nosslv3" checks to make sure the server is not negotiating sslv3.
> The other called "tls" checks ot make sure the server will negotiate at
> least one of TLSv1.0, TLSv1.1 or TLSv1.2.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
