thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (THRIFT-4084) Improve SSL security in thrift by adding a make cross client that checks to make sure SSLv3 protocol cannot be negotiated
Date Sun, 19 Feb 2017 01:48:44 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873397#comment-15873397
] 

ASF GitHub Bot commented on THRIFT-4084:
----------------------------------------

GitHub user jeking3 opened a pull request:

    https://github.com/apache/thrift/pull/1197

    THRIFT-4084: Add a SSL/TLS negotiation check to crosstest to verify SSLv3 is not active
and that TLSv1.0 through 1.2 are accepted

    Fixed the following server implementations to properly disable SSLv3 when using default
settings:
    go, nodejs, perl, py3

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/jeking3/thrift THRIFT-4084

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/thrift/pull/1197.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1197
    
----
commit 608329ba5cba941c67205f6e453b1173b6cd9c21
Author: James E. King, III <jim.king@simplivity.com>
Date:   2017-02-12T22:53:05Z

    THRIFT-4084: Add a SSL/TLS negotiation check to crosstest to verify SSLv3 is not active
and that TLSv1.0 through 1.2 are accepted.
    Client: go, nodejs, perl, python

----


> Improve SSL security in thrift by adding a make cross client that checks to make sure
SSLv3 protocol cannot be negotiated
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4084
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4084
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Test Suite
>    Affects Versions: 0.10.0
>         Environment: Ubuntu Dockerfile
>            Reporter: James E. King, III
>            Assignee: James E. King, III
>              Labels: cross-validation, security, ssl, tls
>
> Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in the backlog,
I want to add a make cross "language" which isn't a language at all, but a test that checks
to see if it is possible to negotiate at various SSL/TLS protocol versions.  This would be
a client-only test, likely just a bash script that leverages the openssl client and command
line options to connect to a test server and see if it handshakes and negotiates protocol
successfully.
> Without THRIFT-3165 implemented, it will ensure:
> * Can handshake using the universal SSLv23 context, however cannot negotiate SSLv3
> * Can negotiate TLSv1.0, TLSv1.1, and TLSv1.2
> With THRIFT-3165 it needs to change to ensure:
> * Can handshake using TLSv1.2 but not any other version
> The solution I came up with was to add a new client called "secure" to make crosstest.
 test_secure is a simple bash script that checks the appropriate rules above (the ones without
THRIFT-3165, since it is not done), and I added "secure" to the list of cross test "languages"
in the top level configure script.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message