kylin-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Md Mahir Asef Kabir (Jira)" <j...@apache.org>
Subject [jira] [Created] (KYLIN-4477) Usage of "TLS" is insecure
Date Mon, 04 May 2020 01:43:00 GMT
Md Mahir Asef Kabir created KYLIN-4477:
------------------------------------------

             Summary: Usage of "TLS" is insecure
                 Key: KYLIN-4477
                 URL: https://issues.apache.org/jira/browse/KYLIN-4477
             Project: Kylin
          Issue Type: Improvement
            Reporter: Md Mahir Asef Kabir


*Vulnerability Description:* In “engine-mr/src/main/java/org/apache/kylin/engine/mr/common/DefaultSslProtocolSocketFactory.java”
file the following code was written in
{code:java}
private static SSLContext createEasySSLContext()
{code}
method -
{code:java}
SSLContext context = SSLContext.getInstance("TLS");
{code}
The vulnerability is, using "TLS” as the argument to SSLContext.getInstance method.

*Reason it’s vulnerable:* TLS 1.0 is vulnerable to man-in-the-middle attacks. For further
reference, follow [this|https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php].

*Suggested Fix:* Using
{code:java}
SSLContext.getInstance("TLSv1.3").
{code}
*Feedback:* Please select any of the options down below to help us get an idea about how you
felt about the suggestion -
 # Liked it and will make the suggested changes
 # Liked it but happy with the existing version
 # Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message