[jira] [Issue Comment Deleted] (THRIFT-3165) Disable unsafe TLSv1.0 and TLSv1.1 by default

Tue, 16 Jul 2019 19:30:05 -0700 


     [ 
https://issues.apache.org/jira/browse/THRIFT-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James E. King III updated THRIFT-3165:
--------------------------------------
    Comment: was deleted

(was: Security moves along, and that made our title less than useful.  It was:

Improve SSL Security in thrift by requiring TLS v1.2 by default

However really what we want to do is let the consumer control this.
In most languages we already disable SSLv2 and SSLv3.
Best practices now recommend only allowing TLSv1_3 or later, however Thrift 
allows TLSv1_0 or later.

I modified the TSSLSocket code in C++ to eliminate SSLProtocol.  If someone 
wants to control the negotiation they need to subclass SSLContext and set the 
options themselves, otherwise we'll be forever updating TSSLSocket with 
protocol enhancements.)

> Disable unsafe TLSv1.0 and TLSv1.1 by default
> ---------------------------------------------
>
>                 Key: THRIFT-3165
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3165
>             Project: Thrift
>          Issue Type: Improvement
>          Components: C++ - Library
>    Affects Versions: 0.9.2
>            Reporter: James E. King III
>            Assignee: James E. King III
>            Priority: Major
>              Labels: SSL, SSLSocketFactory, Security, TLS
>
> Thrift provides an SSL implementation and implements some best practices (for 
> example, SSLv2 and SSLv3 are disabled). The current mechanism in the C++ 
> library to control the protocol negotiation is unnecessarily complex.
> The current behavior is to use an enumeration to set the protocol level. The 
> methods these call are deprecated in OpenSSL 1.1 and do not provide the 
> desired control.
> The proposed new behavior is to:
>  * Remove SSLProtocol
>  * Require the consumer to subclass SSLContext and call SSL_CTX_set_option to 
> disable certain behaviors, like negotiation protocol levels.
> For example the following SSLContext subclass will allow connections at 
> TLSv1.1 or later, whereas the default will only allow TLSv1.2 or later:
> {noformat}
> class CustomSSLContext : public SSLContext
> {
>   public:
>     CustomSSLContext() : SSLContext()
>     {
>         // SSLContext disables SSLv2, SSLv3, TLSv1_0, and TLSv1_1
>         SSL_CTX_clear_options(get(), SSL_OP_NO_TLSv1_1);
>     }
> };
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to