[jira] [Commented] (NIFI-7913) ListenSMTP Allows TLS 1.0 and 1.1 Regardless of TLS Protocol Configured

Thu, 10 Dec 2020 08:55:11 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-7913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17247360#comment-17247360
 ] 

ASF subversion and git services commented on NIFI-7913:
-------------------------------------------------------

Commit 7bff64b3cf37700407a51d896d0349853eaed733 in nifi's branch 
refs/heads/main from exceptionfactory
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=7bff64b ]

NIFI-7913 Added getEnabledProtocols() to TlsConfiguration and updated 
ListenSMTP to set enabled protocols on SSL Sockets

NIFI-7913 Changed order of supported protocols to match existing comments in 
SSLContextService

This closes #4599

Signed-off-by: Nathan Gough <[email protected]>


> ListenSMTP Allows TLS 1.0 and 1.1 Regardless of TLS Protocol Configured
> -----------------------------------------------------------------------
>
>                 Key: NIFI-7913
>                 URL: https://issues.apache.org/jira/browse/NIFI-7913
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: 1.12.0
>         Environment: Fedora 32
> OpenJDK 1.8.0_265
> OpenJDK 11.0.8
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>              Labels: SMTP, TLS, security
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> ListenSMTP supports TLS communication using a configurable 
> RestrictedSSLContextService as of NIFI-4335.  Regardless of setting the _TLS 
> Protocol_ property to _TLS_ or a specific TLS version, ListenSMTP accepts TLS 
> communication using TLS 1.0 or TLS 1.1 in addition to TLS 1.2, or TLS 1.3 
> under Java 11.
> This can be reproduced at runtime by configuring ListenSMTP with a 
> StandardRestrictedSSLContextService and using the following OpenSSL command 
> to run the STARTTLS command.
> For TLS 1.0:
> openssl s_client -host localhost -port 2525 -starttls smtp tls1
> For TLS 1.1:
> openssl s_client -host localhost -port 2525 -starttls smtp tls1_1
> The response output should include the negotiated cipher and SSL Session-ID.
> This can also be reproduced in unit tests by specifying the 
> _mail.smtp.ssl.protocols_ property with either _TLSv1_ or _TLSv1.1_ when 
> configuring the Java Mail Session.
> Setting specific enabled protocols on the created SSLSocket should disable 
> legacy TLS protocols.  Resolution should include support for either a 
> specific TLS version, or secure TLS versions based on the runtime Java 
> version.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to