[
https://issues.apache.org/jira/browse/AMBARI-20545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16334417#comment-16334417
]
Robert Levas commented on AMBARI-20545:
---------------------------------------
[~lars_francke], though time is an issue.. that is not _*the*_ issue here. It
seems like, according to [~jonathan.hurley], we should keep support for TLS but
remove SSL protocols. Do we still think that this is ok?
If, as a community, we think that permanently disabling the SSL* protocols is
ok, then I will see if can work on it. However, AMBARI-18910 allows for such
protocols to be disabled (or enabled) via Ambari's configuration (since Ambari
2.4.2). For example:
{code}
security.server.disabled.protocols=SSL|SSLv2|SSLv3
{code}
However, by default it appears that this is not set in the
\{{ambari.properties}} file.
> Remove the use of legacy SSL and TLS protocol versions
> ------------------------------------------------------
>
> Key: AMBARI-20545
> URL: https://issues.apache.org/jira/browse/AMBARI-20545
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server, security
> Affects Versions: 2.4.2
> Reporter: Andy LoPresto
> Assignee: Robert Levas
> Priority: Major
> Labels: security, ssl, tls
> Fix For: trunk
>
>
> I notice that the explicit enabling of various protocols still includes
> SSLv2Hello and SSLv3, which are severely broken protocols with numerous known
> vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and
> TLSv1.1 have been [discouraged since February
> 2014|https://community.qualys.com/thread/12421], when all modern browsers
> supported TLSv1.2. Is there any reason Ambari still needs to enable support
> for these legacy protocols, and are there any other mitigating controls put
> in place to prevent downgrade, brute force, padding oracle, and weak
> parameter attacks against these protocols? Thanks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
