[
https://issues.apache.org/jira/browse/NIFI-7913?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nathan Gough resolved NIFI-7913.
--------------------------------
Fix Version/s: 1.13.0
Resolution: Fixed
> ListenSMTP Allows TLS 1.0 and 1.1 Regardless of TLS Protocol Configured
> -----------------------------------------------------------------------
>
> Key: NIFI-7913
> URL: https://issues.apache.org/jira/browse/NIFI-7913
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 1.12.0
> Environment: Fedora 32
> OpenJDK 1.8.0_265
> OpenJDK 11.0.8
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Labels: SMTP, TLS, security
> Fix For: 1.13.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> ListenSMTP supports TLS communication using a configurable
> RestrictedSSLContextService as of NIFI-4335. Regardless of setting the _TLS
> Protocol_ property to _TLS_ or a specific TLS version, ListenSMTP accepts TLS
> communication using TLS 1.0 or TLS 1.1 in addition to TLS 1.2, or TLS 1.3
> under Java 11.
> This can be reproduced at runtime by configuring ListenSMTP with a
> StandardRestrictedSSLContextService and using the following OpenSSL command
> to run the STARTTLS command.
> For TLS 1.0:
> openssl s_client -host localhost -port 2525 -starttls smtp tls1
> For TLS 1.1:
> openssl s_client -host localhost -port 2525 -starttls smtp tls1_1
> The response output should include the negotiated cipher and SSL Session-ID.
> This can also be reproduced in unit tests by specifying the
> _mail.smtp.ssl.protocols_ property with either _TLSv1_ or _TLSv1.1_ when
> configuring the Java Mail Session.
> Setting specific enabled protocols on the created SSLSocket should disable
> legacy TLS protocols. Resolution should include support for either a
> specific TLS version, or secure TLS versions based on the runtime Java
> version.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
