You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "James E. King, III (JIRA)" <ji...@apache.org> on 2015/05/19 21:00:00 UTC

[jira] [Updated] (THRIFT-3164) Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation

     [ https://issues.apache.org/jira/browse/THRIFT-3164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James E. King, III updated THRIFT-3164:
---------------------------------------
    Description: 
The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake.  SSLv3 is ancient and has a serious security flaw:
http://disablessl3.com/

Recommend changing the default/minimum in Thrift to TLSv1.  Add a test to prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all connect.

THRIFT-3165 takes the recommendation a step further and suggests the default should be TLS v1.2 or later, and the third party using Thrift can decide if they want to allow less-secure ciphers.

  was:
The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake.  SSLv3 is ancient and has a serious security flaw:
http://disablessl3.com/

Recommend changing the default/minimum in Thrift to TLSv1.  Add a test to prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all connect.


> Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation
> ------------------------------------------------------------------------------
>
>                 Key: THRIFT-3164
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3164
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.8, 0.9, 0.9.1, 0.9.2
>            Reporter: James E. King, III
>            Priority: Critical
>              Labels: SSL, SSLSocketFactory, Security
>
> The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake.  SSLv3 is ancient and has a serious security flaw:
> http://disablessl3.com/
> Recommend changing the default/minimum in Thrift to TLSv1.  Add a test to prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all connect.
> THRIFT-3165 takes the recommendation a step further and suggests the default should be TLS v1.2 or later, and the third party using Thrift can decide if they want to allow less-secure ciphers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)