[
https://issues.apache.org/jira/browse/AMBARI-20545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15989930#comment-15989930
]
Lars Francke commented on AMBARI-20545:
---------------------------------------
Do you have an overview with details so we can find the lowest common supported
TLS version?
It should definitely not stop us from disabling SSL v3 by default, I don't know
enough about SSLv2Hello. Hopefully we can also drop TLSv1.0.
> Remove the use of legacy SSL and TLS protocol versions
> ------------------------------------------------------
>
> Key: AMBARI-20545
> URL: https://issues.apache.org/jira/browse/AMBARI-20545
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server, security
> Affects Versions: 2.4.2
> Reporter: Andy LoPresto
> Assignee: Robert Levas
> Labels: security, ssl, tls
> Fix For: 2.5.1
>
>
> I notice that the explicit enabling of various protocols still includes
> SSLv2Hello and SSLv3, which are severely broken protocols with numerous known
> vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and
> TLSv1.1 have been [discouraged since February
> 2014|https://community.qualys.com/thread/12421], when all modern browsers
> supported TLSv1.2. Is there any reason Ambari still needs to enable support
> for these legacy protocols, and are there any other mitigating controls put
> in place to prevent downgrade, brute force, padding oracle, and weak
> parameter attacks against these protocols? Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
