Cliff Jansen created PROTON-719:
-----------------------------------
Summary: Disable SSL v3 for Windows SChannel
Key: PROTON-719
URL: https://issues.apache.org/jira/browse/PROTON-719
Project: Qpid Proton
Issue Type: Bug
Components: proton-j
Affects Versions: 0.8
Environment: Windows
Reporter: Cliff Jansen
Assignee: Cliff Jansen
Fix For: 0.8
Windows advisory:
https://technet.microsoft.com/en-us/library/security/3009008.aspx
See especially part 3: "Disable SSL 3.0 in Windows", but note that a similar
registry setting exists for CLIENT.
Schannel works differently from openssl: SChannel can override default
protocols (in registry), but cannot override "enabled" protocols (also in
registry). A user or global administrator can force AMQP 1.0 SChannel
connections to succeed during protocol negotiations over SSLv3 despite Proton's
best efforts.
Possible solutions on Windows:
1. always fail after the fact if an SSLv3 connection has actually been
established
2. succeed for SSLV3 if registry allows it, but log a warning
3. succeed for SSLV3 only if registry allows it and env variable
PROTON_SSLV3_UNSAFE=override_by_user
Since SSLv3 is not considered secure, and there are no known legacy AMQP 1.0
that are unable to provide TLS1.0 or above, #1 seems to provide the greatest
security without known inconvenience.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
