From issues-return-65765-archive-asf-public=cust-asf.ponee.io@ambari.apache.org Mon Jan 22 11:14:04 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 985A7180609 for ; Mon, 22 Jan 2018 11:14:04 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 88015160C4B; Mon, 22 Jan 2018 10:14:04 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CDD2A160C3A for ; Mon, 22 Jan 2018 11:14:03 +0100 (CET) Received: (qmail 60048 invoked by uid 500); 22 Jan 2018 10:14:03 -0000 Mailing-List: contact issues-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list issues@ambari.apache.org Received: (qmail 60039 invoked by uid 99); 22 Jan 2018 10:14:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Jan 2018 10:14:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id A182E1806DA for ; Mon, 22 Jan 2018 10:14:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -108.711 X-Spam-Level: X-Spam-Status: No, score=-108.711 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id sBS-HfFLpy2n for ; Mon, 22 Jan 2018 10:14:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 2ED485FACE for ; Mon, 22 Jan 2018 10:14:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 6DD9EE0F6B for ; Mon, 22 Jan 2018 10:14:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2029B20DF3 for ; Mon, 22 Jan 2018 10:14:00 +0000 (UTC) Date: Mon, 22 Jan 2018 10:14:00 +0000 (UTC) From: "Lars Francke (JIRA)" To: issues@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AMBARI-20545) Remove the use of legacy SSL and TLS protocol versions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-20545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16334102#comment-16334102 ] Lars Francke commented on AMBARI-20545: --------------------------------------- [~rlevas] What's the status here? Will you have time to work on it? If not I could put it on my list and try to get a patch done. > Remove the use of legacy SSL and TLS protocol versions > ------------------------------------------------------ > > Key: AMBARI-20545 > URL: https://issues.apache.org/jira/browse/AMBARI-20545 > Project: Ambari > Issue Type: Bug > Components: ambari-server, security > Affects Versions: 2.4.2 > Reporter: Andy LoPresto > Assignee: Robert Levas > Priority: Major > Labels: security, ssl, tls > Fix For: trunk > > > I notice that the explicit enabling of various protocols still includes SSLv2Hello and SSLv3, which are severely broken protocols with numerous known vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and TLSv1.1 have been [discouraged since February 2014|https://community.qualys.com/thread/12421], when all modern browsers supported TLSv1.2. Is there any reason Ambari still needs to enable support for these legacy protocols, and are there any other mitigating controls put in place to prevent downgrade, brute force, padding oracle, and weak parameter attacks against these protocols? Thanks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)