David Handermann created NIFI-7913:
--------------------------------------
Summary: ListenSMTP Allows TLS 1.0 and 1.1 Regardless of TLS
Protocol Configured
Key: NIFI-7913
URL: https://issues.apache.org/jira/browse/NIFI-7913
Project: Apache NiFi
Issue Type: Bug
Components: Extensions
Affects Versions: 1.12.0
Environment: Fedora 32
OpenJDK 1.8.0_265
OpenJDK 11.0.8
Reporter: David Handermann
Assignee: David Handermann
ListenSMTP supports TLS communication using a configurable
RestrictedSSLContextService as of NIFI-4335. Regardless of setting the _TLS
Protocol_ property to _TLS_ or a specific TLS version, ListenSMTP accepts TLS
communication using TLS 1.0 or TLS 1.1 in addition to TLS 1.2, or TLS 1.3 under
Java 11.
This can be reproduced at runtime by configuring ListenSMTP with a
StandardRestrictedSSLContextService and using the following OpenSSL command to
run the STARTTLS command.
For TLS 1.0:
openssl s_client -host localhost -port 2525 -starttls smtp tls1
For TLS 1.1:
openssl s_client -host localhost -port 2525 -starttls smtp tls1_1
The response output should include the negotiated cipher and SSL Session-ID.
This can also be reproduced in unit tests by specifying the
_mail.smtp.ssl.protocols_ property with either _TLSv1_ or _TLSv1.1_ when
configuring the Java Mail Session.
Setting specific enabled protocols on the created SSLSocket should disable
legacy TLS protocols. Resolution should include support for either a specific
TLS version, or secure TLS versions based on the runtime Java version.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
