[
https://issues.apache.org/jira/browse/AMBARI-20545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16334421#comment-16334421
]
Jonathan Hurley commented on AMBARI-20545:
------------------------------------------
I am fine with disabling SSL by default, but I believe we still must keep the
lesser-secure TLS protocols.
> Remove the use of legacy SSL and TLS protocol versions
> ------------------------------------------------------
>
> Key: AMBARI-20545
> URL: https://issues.apache.org/jira/browse/AMBARI-20545
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server, security
> Affects Versions: 2.4.2
> Reporter: Andy LoPresto
> Assignee: Robert Levas
> Priority: Major
> Labels: security, ssl, tls
> Fix For: trunk
>
>
> I notice that the explicit enabling of various protocols still includes
> SSLv2Hello and SSLv3, which are severely broken protocols with numerous known
> vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and
> TLSv1.1 have been [discouraged since February
> 2014|https://community.qualys.com/thread/12421], when all modern browsers
> supported TLSv1.2. Is there any reason Ambari still needs to enable support
> for these legacy protocols, and are there any other mitigating controls put
> in place to prevent downgrade, brute force, padding oracle, and weak
> parameter attacks against these protocols? Thanks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
