You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Jonathan Hurley (JIRA)" <ji...@apache.org> on 2017/05/01 14:23:04 UTC
[jira] [Commented] (AMBARI-20545) Remove the use of legacy SSL and
TLS protocol versions
[ https://issues.apache.org/jira/browse/AMBARI-20545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15990855#comment-15990855 ]
Jonathan Hurley commented on AMBARI-20545:
------------------------------------------
Lowest support version is TLS v1.1, I believe. I think it's safe to disable SSL*.
> Remove the use of legacy SSL and TLS protocol versions
> ------------------------------------------------------
>
> Key: AMBARI-20545
> URL: https://issues.apache.org/jira/browse/AMBARI-20545
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server, security
> Affects Versions: 2.4.2
> Reporter: Andy LoPresto
> Assignee: Robert Levas
> Labels: security, ssl, tls
> Fix For: 2.5.1
>
>
> I notice that the explicit enabling of various protocols still includes SSLv2Hello and SSLv3, which are severely broken protocols with numerous known vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and TLSv1.1 have been [discouraged since February 2014|https://community.qualys.com/thread/12421], when all modern browsers supported TLSv1.2. Is there any reason Ambari still needs to enable support for these legacy protocols, and are there any other mitigating controls put in place to prevent downgrade, brute force, padding oracle, and weak parameter attacks against these protocols? Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)