Cliff Jansen created PROTON-719:

             Summary: Disable SSL v3 for Windows SChannel
                 Key: PROTON-719
             Project: Qpid Proton
          Issue Type: Bug
          Components: proton-j
    Affects Versions: 0.8
         Environment: Windows
            Reporter: Cliff Jansen
            Assignee: Cliff Jansen
             Fix For: 0.8

Windows advisory:

See especially part 3: "Disable SSL 3.0 in Windows", but note that a similar 
registry setting exists for CLIENT.

Schannel works differently from openssl: SChannel can override default 
protocols (in registry), but cannot override "enabled" protocols (also in 
registry).  A user or global administrator can force AMQP 1.0 SChannel 
connections to succeed during protocol negotiations over SSLv3 despite Proton's 
best efforts.

Possible solutions on Windows:

 1. always fail after the fact if an SSLv3 connection has actually been 

 2. succeed for SSLV3 if registry allows it, but log a warning

 3. succeed for SSLV3 only if registry allows it and env variable 

Since SSLv3 is not considered secure, and there are no known legacy AMQP 1.0 
that are unable to provide TLS1.0 or above, #1 seems to provide the greatest 
security without known inconvenience.

This message was sent by Atlassian JIRA

Reply via email to