[jira] [Commented] (KYLIN-4477) Usage of "TLS" is insecure

Thu, 14 May 2020 20:27:27 -0700 


    [ 
https://issues.apache.org/jira/browse/KYLIN-4477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17107895#comment-17107895
 ] 

ASF GitHub Bot commented on KYLIN-4477:
---------------------------------------

Mahir92 edited a comment on pull request #1192:
URL: https://github.com/apache/kylin/pull/1192#issuecomment-629004822


   Hi @shaofengshi , thanks for getting back to me. I am not sure why it got 
included the PR. However, I will try to exclude the changes and will give the 
update here when I am done.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Usage of "TLS" is insecure
> --------------------------
>
>                 Key: KYLIN-4477
>                 URL: https://issues.apache.org/jira/browse/KYLIN-4477
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Assignee: Md Mahir Asef Kabir
>            Priority: Major
>             Fix For: v3.1.0
>
>
> *Vulnerability Description:* In 
> “engine-mr/src/main/java/org/apache/kylin/engine/mr/common/DefaultSslProtocolSocketFactory.java”
>  file the following code was written in
> {code:java}
> private static SSLContext createEasySSLContext()
> {code}
> method -
> {code:java}
> SSLContext context = SSLContext.getInstance("TLS");
> {code}
> The vulnerability is, using "TLS” as the argument to SSLContext.getInstance 
> method.
> *Reason it’s vulnerable:* TLS 1.0 is vulnerable to man-in-the-middle attacks. 
> For further reference, follow 
> [this|https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php].
> *Suggested Fix:* Using
> {code:java}
> SSLContext.getInstance("TLSv1.3").
> {code}
> *Feedback:* Please select any of the options down below to help us get an 
> idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to