ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-20545) Remove the use of legacy SSL and TLS protocol versions
Date Mon, 22 Jan 2018 15:39:00 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-20545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16334417#comment-16334417
] 

Robert Levas commented on AMBARI-20545:
---------------------------------------

[~lars_francke], though time is an issue.. that is not _*the*_ issue here. It seems like,
according to [~jonathan.hurley], we should keep support for TLS but remove SSL protocols. 
Do we still think that this is ok? 

If, as a community, we think that permanently disabling the SSL* protocols is ok, then I will
see if can work on it.  However, AMBARI-18910 allows for such protocols to be disabled (or
enabled) via Ambari's configuration (since Ambari 2.4.2). For example:

{code}
security.server.disabled.protocols=SSL|SSLv2|SSLv3
{code}

However, by default it appears that this is not set in the \{{ambari.properties}} file. 

 

> Remove the use of legacy SSL and TLS protocol versions
> ------------------------------------------------------
>
>                 Key: AMBARI-20545
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20545
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server, security
>    Affects Versions: 2.4.2
>            Reporter: Andy LoPresto
>            Assignee: Robert Levas
>            Priority: Major
>              Labels: security, ssl, tls
>             Fix For: trunk
>
>
> I notice that the explicit enabling of various protocols still includes SSLv2Hello and
SSLv3, which are severely broken protocols with numerous known vulnerabilities and not necessary
for legacy compatibility. Even TLSv1 and TLSv1.1 have been [discouraged since February 2014|https://community.qualys.com/thread/12421],
when all modern browsers supported TLSv1.2. Is there any reason Ambari still needs to enable
support for these legacy protocols, and are there any other mitigating controls put in place
to prevent downgrade, brute force, padding oracle, and weak parameter attacks against these
protocols? Thanks. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message