[
https://issues.apache.org/jira/browse/PROTON-719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14175739#comment-14175739
]
ASF subversion and git services commented on PROTON-719:
--------------------------------------------------------
Commit 1632702 from cliffjan...@apache.org in branch 'proton/trunk'
[ https://svn.apache.org/r1632702 ]
PROTON-719 : prevent ssl3 connections in Windows with schannel
> Disable SSL v3 for Windows SChannel
> -----------------------------------
>
> Key: PROTON-719
> URL: https://issues.apache.org/jira/browse/PROTON-719
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-j
> Affects Versions: 0.8
> Environment: Windows
> Reporter: Cliff Jansen
> Assignee: Cliff Jansen
> Fix For: 0.8
>
>
> Windows advisory:
> https://technet.microsoft.com/en-us/library/security/3009008.aspx
> See especially part 3: "Disable SSL 3.0 in Windows", but note that a similar
> registry setting exists for CLIENT.
> Schannel works differently from openssl: SChannel can override default
> protocols (in registry), but cannot override "enabled" protocols (also in
> registry). A user or global administrator can force AMQP 1.0 SChannel
> connections to succeed during protocol negotiations over SSLv3 despite
> Proton's best efforts.
> Possible solutions on Windows:
> 1. always fail after the fact if an SSLv3 connection has actually been
> established
> 2. succeed for SSLV3 if registry allows it, but log a warning
> 3. succeed for SSLV3 only if registry allows it and env variable
> PROTON_SSLV3_UNSAFE=override_by_user
> Since SSLv3 is not considered secure, and there are no known legacy AMQP 1.0
> that are unable to provide TLS1.0 or above, #1 seems to provide the greatest
> security without known inconvenience.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
