[ https://issues.apache.org/jira/browse/PROTON-719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14175739#comment-14175739 ]
ASF subversion and git services commented on PROTON-719: -------------------------------------------------------- Commit 1632702 from cliffjan...@apache.org in branch 'proton/trunk' [ https://svn.apache.org/r1632702 ] PROTON-719 : prevent ssl3 connections in Windows with schannel > Disable SSL v3 for Windows SChannel > ----------------------------------- > > Key: PROTON-719 > URL: https://issues.apache.org/jira/browse/PROTON-719 > Project: Qpid Proton > Issue Type: Bug > Components: proton-j > Affects Versions: 0.8 > Environment: Windows > Reporter: Cliff Jansen > Assignee: Cliff Jansen > Fix For: 0.8 > > > Windows advisory: > https://technet.microsoft.com/en-us/library/security/3009008.aspx > See especially part 3: "Disable SSL 3.0 in Windows", but note that a similar > registry setting exists for CLIENT. > Schannel works differently from openssl: SChannel can override default > protocols (in registry), but cannot override "enabled" protocols (also in > registry). A user or global administrator can force AMQP 1.0 SChannel > connections to succeed during protocol negotiations over SSLv3 despite > Proton's best efforts. > Possible solutions on Windows: > 1. always fail after the fact if an SSLv3 connection has actually been > established > 2. succeed for SSLV3 if registry allows it, but log a warning > 3. succeed for SSLV3 only if registry allows it and env variable > PROTON_SSLV3_UNSAFE=override_by_user > Since SSLv3 is not considered secure, and there are no known legacy AMQP 1.0 > that are unable to provide TLS1.0 or above, #1 seems to provide the greatest > security without known inconvenience. -- This message was sent by Atlassian JIRA (v6.3.4#6332)