[
https://issues.apache.org/jira/browse/AMBARI-20545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16335122#comment-16335122
]
Lars Francke commented on AMBARI-20545:
---------------------------------------
Thanks for working on this!
What about TLS 1.0? Jonathan mentioned that TLS 1.1 is the lowest supported
one. The PCI DSS Guidelines for example have deprecated TLS 1.0 as well
[https://de.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss]
Again: This is something that can be changed by the user if needed but I'd
rather have secure defaults.
> Remove the use of legacy SSL and TLS protocol versions
> ------------------------------------------------------
>
> Key: AMBARI-20545
> URL: https://issues.apache.org/jira/browse/AMBARI-20545
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server, security
> Affects Versions: 2.4.2
> Reporter: Andy LoPresto
> Assignee: Robert Levas
> Priority: Major
> Labels: security, ssl, tls
> Fix For: trunk
>
>
> I notice that the explicit enabling of various protocols still includes
> SSLv2Hello and SSLv3, which are severely broken protocols with numerous known
> vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and
> TLSv1.1 have been [discouraged since February
> 2014|https://community.qualys.com/thread/12421], when all modern browsers
> supported TLSv1.2. Is there any reason Ambari still needs to enable support
> for these legacy protocols, and are there any other mitigating controls put
> in place to prevent downgrade, brute force, padding oracle, and weak
> parameter attacks against these protocols? Thanks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
