Lars Francke created AMBARI-20893: ------------------------------------- Summary: Ambari should disable old/insecure SSL/TLS protocols by default Key: AMBARI-20893 URL: https://issues.apache.org/jira/browse/AMBARI-20893 Project: Ambari Issue Type: Improvement Components: ambari-server Reporter: Lars Francke Priority: Minor
By default these protocols are enabled in Ambari when using SSL/TLS: * SSL 2 * SSL 3 * TLS 1.0 * TLS 1.1 * TLS 1.2 Yes they can be disabled but a user needs to do that. Both SSL 2 and SSL 3 have been officially deprecated and I think it's really bad that we ship with them enabled by default. TLS 1 is prohibited by PCI standards but has not been officially deprecated I think. So I propose to change the default value of `security.server.disabled.protocols` to include at least SSL2 & 3. -- This message was sent by Atlassian JIRA (v6.3.15#6346)