[ 
https://issues.apache.org/jira/browse/KUDU-1926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16238163#comment-16238163
 ] 

Alexey Serbin edited comment on KUDU-1926 at 11/3/17 7:03 PM:
--------------------------------------------------------------

There is SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION for that (appeared in 
0.9.7 version), but we don't set it in the TLS context yet.

Also, even in OpenSSL 1.1.0, the SSL_OP_LEGACY_SERVER_CONNECT option is set by 
default to allow client to connect to servers using outdated (< 0.9.8.m) 
openssl library.  We may want to disable that to make our C++ client more 
secure.


was (Author: aserbin):
There is SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION for that (appeared in 
0.9.7 version), but we don't set it in the TLS context yet.

Also, prior to OpenSSL 1.0.2, the SSL_OP_LEGACY_SERVER_CONNECT is set by 
default.  We may want to disable that to make our C++ client more secure.

> Disable SSL session renegotiation
> ---------------------------------
>
>                 Key: KUDU-1926
>                 URL: https://issues.apache.org/jira/browse/KUDU-1926
>             Project: Kudu
>          Issue Type: Improvement
>          Components: rpc, security
>    Affects Versions: 1.3.0
>            Reporter: Todd Lipcon
>            Priority: Minor
>
> SSL renegotiation has had a couple of CVEs in the past. We should figure out 
> if it's easy to disable it and do so, since we don't expect to use it in KRPC.
> (it may already be the case that it's disabled by virtue of us not handling 
> SSL_WANT_READ return from ssl_write, and SSL_WANT_WRITE from ssl_read).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to