thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (THRIFT-4084) Improve SSL security in thrift by adding a make cross client that checks to make sure SSLv3 protocol cannot be negotiated
Date Sun, 19 Feb 2017 11:11:44 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873642#comment-15873642
] 

ASF GitHub Bot commented on THRIFT-4084:
----------------------------------------

Github user jeking3 commented on a diff in the pull request:

    https://github.com/apache/thrift/pull/1197#discussion_r101914676
  
    --- Diff: test/tests.json ---
    @@ -606,5 +606,23 @@
           "compact"
         ],
         "workdir": "rs/bin"
    +  },
    +  {
    +    "name": "secure",
    +    "client": {
    +      "command": [
    +        "test_secure.bash"
    +      ]
    +    },
    +    "transports": [
    +      "buffered"
    +    ],
    +    "sockets": [
    +      "ip-ssl"
    +    ],
    +    "protocols": [
    +      "binary"
    +    ],
    +    "workdir": "secure"
    --- End diff --
    
    I do not see where crossfeature is executed during Travis CI.  Which build job runs it?


> Improve SSL security in thrift by adding a make cross client that checks to make sure
SSLv3 protocol cannot be negotiated
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4084
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4084
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Test Suite
>    Affects Versions: 0.10.0
>         Environment: Ubuntu Dockerfile
>            Reporter: James E. King, III
>            Assignee: James E. King, III
>              Labels: cross-validation, security, ssl, tls
>
> Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in the backlog,
I want to add a make cross "language" which isn't a language at all, but a test that checks
to see if it is possible to negotiate at various SSL/TLS protocol versions.  This would be
a client-only test, likely just a bash script that leverages the openssl client and command
line options to connect to a test server and see if it handshakes and negotiates protocol
successfully.
> Without THRIFT-3165 implemented, it will ensure:
> * Can handshake using the universal SSLv23 context, however cannot negotiate SSLv3
> * Can negotiate TLSv1.0, TLSv1.1, and TLSv1.2
> With THRIFT-3165 it needs to change to ensure:
> * Can handshake using TLSv1.2 but not any other version
> The solution I came up with was to add a new client called "secure" to make crosstest.
 test_secure is a simple bash script that checks the appropriate rules above (the ones without
THRIFT-3165, since it is not done), and I added "secure" to the list of cross test "languages"
in the top level configure script.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message