[ https://issues.apache.org/jira/browse/AMBARI-20893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Francke resolved AMBARI-20893. ----------------------------------- Resolution: Duplicate > Ambari should disable old/insecure SSL/TLS protocols by default > --------------------------------------------------------------- > > Key: AMBARI-20893 > URL: https://issues.apache.org/jira/browse/AMBARI-20893 > Project: Ambari > Issue Type: Improvement > Components: ambari-server > Reporter: Lars Francke > Priority: Minor > > By default these protocols are enabled in Ambari when using SSL/TLS: > * SSL 2 > * SSL 3 > * TLS 1.0 > * TLS 1.1 > * TLS 1.2 > Yes they can be disabled but a user needs to do that. Both SSL 2 and SSL 3 > have been officially deprecated and I think it's really bad that we ship with > them enabled by default. TLS 1 is prohibited by PCI standards but has not > been officially deprecated I think. > So I propose to change the default value of > `security.server.disabled.protocols` to include at least SSL2 & 3. -- This message was sent by Atlassian JIRA (v6.3.15#6346)