Andy LoPresto created AMBARI-20545:
--------------------------------------
Summary: Remove the use of legacy SSL and TLS protocol versions
Key: AMBARI-20545
URL: https://issues.apache.org/jira/browse/AMBARI-20545
Project: Ambari
Issue Type: Bug
Components: ambari-server, security
Affects Versions: 2.4.2
Reporter: Andy LoPresto
I notice that the explicit enabling of various protocols still includes
SSLv2Hello and SSLv3, which are severely broken protocols with numerous known
vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and
TLSv1.1 have been [discouraged since February
2014|https://community.qualys.com/thread/12421], when all modern browsers
supported TLSv1.2. Is there any reason Ambari still needs to enable support for
these legacy protocols, and are there any other mitigating controls put in
place to prevent downgrade, brute force, padding oracle, and weak parameter
attacks against these protocols? Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
