Cliff Jansen created PROTON-719: ----------------------------------- Summary: Disable SSL v3 for Windows SChannel Key: PROTON-719 URL: https://issues.apache.org/jira/browse/PROTON-719 Project: Qpid Proton Issue Type: Bug Components: proton-j Affects Versions: 0.8 Environment: Windows Reporter: Cliff Jansen Assignee: Cliff Jansen Fix For: 0.8
Windows advisory: https://technet.microsoft.com/en-us/library/security/3009008.aspx See especially part 3: "Disable SSL 3.0 in Windows", but note that a similar registry setting exists for CLIENT. Schannel works differently from openssl: SChannel can override default protocols (in registry), but cannot override "enabled" protocols (also in registry). A user or global administrator can force AMQP 1.0 SChannel connections to succeed during protocol negotiations over SSLv3 despite Proton's best efforts. Possible solutions on Windows: 1. always fail after the fact if an SSLv3 connection has actually been established 2. succeed for SSLV3 if registry allows it, but log a warning 3. succeed for SSLV3 only if registry allows it and env variable PROTON_SSLV3_UNSAFE=override_by_user Since SSLv3 is not considered secure, and there are no known legacy AMQP 1.0 that are unable to provide TLS1.0 or above, #1 seems to provide the greatest security without known inconvenience. -- This message was sent by Atlassian JIRA (v6.3.4#6332)