thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James E. King III (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (THRIFT-3165) Disable unsafe TLSv1.0 and TLSv1.1 by default
Date Wed, 17 Jul 2019 02:36:00 GMT

     [ https://issues.apache.org/jira/browse/THRIFT-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James E. King III updated THRIFT-3165:
--------------------------------------
    Labels: Breaking-Change SSL SSLSocketFactory Security TLS  (was: SSL SSLSocketFactory
Security TLS)

> Disable unsafe TLSv1.0 and TLSv1.1 by default
> ---------------------------------------------
>
>                 Key: THRIFT-3165
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3165
>             Project: Thrift
>          Issue Type: Improvement
>          Components: C++ - Library
>    Affects Versions: 0.9.2
>            Reporter: James E. King III
>            Assignee: James E. King III
>            Priority: Major
>              Labels: Breaking-Change, SSL, SSLSocketFactory, Security, TLS
>
> Thrift provides an SSL implementation and implements some best practices (for example,
SSLv2 and SSLv3 are disabled). The current mechanism in the C++ library to control the protocol
negotiation is unnecessarily complex.
> The current behavior is to use an enumeration to set the protocol level. The methods
these call are deprecated in OpenSSL 1.1 and do not provide the desired control.
> The proposed new behavior is to:
>  * Remove SSLProtocol
>  * Require the consumer to subclass SSLContext and call SSL_CTX_set_option to disable
certain behaviors, like negotiation protocol levels.
> For example the following SSLContext subclass will allow connectionsĀ at TLSv1.1 or later,
whereas the default will only allow TLSv1.2 or later:
> {noformat}
> class CustomSSLContext : public SSLContext
> {
>   public:
>     CustomSSLContext() : SSLContext()
>     {
>         // SSLContext disables SSLv2, SSLv3, TLSv1_0, and TLSv1_1
>         SSL_CTX_clear_options(get(), SSL_OP_NO_TLSv1_1);
>     }
> };
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message