You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Walter Rowe (JIRA)" <ji...@apache.org> on 2017/08/25 15:49:02 UTC

[jira] [Commented] (QPID-6490) Configure SSL ciphers

    [ https://issues.apache.org/jira/browse/QPID-6490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16141794#comment-16141794 ] 

Walter Rowe commented on QPID-6490:
-----------------------------------

It appears that src/qpid/sys/ssl/util.cpp defines what options and what SSL protocols / ciphers are accepted.

https://github.com/apache/qpid-cpp/blob/f91a23c59e18fcdc1560687e14813346468fec3d/src/qpid/sys/ssl/util.cpp
See lines 111+.
// disable SSLv2 and SSLv3 versions of the protocol - they are no longer considered secure

We need config file options to specify protocols and ciphers like apache provides.

> Configure SSL ciphers
> ---------------------
>
>                 Key: QPID-6490
>                 URL: https://issues.apache.org/jira/browse/QPID-6490
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.30
>         Environment: Linux
>            Reporter: Brant Knudson
>              Labels: security
>
> qpid-cpp must allow an admin to set the SSL ciphers / protocols that they want the server to allow. The default should be ciphers / protocols that don't have known security vulnerabilities like SSLv3 (POODLE) and RC4 ciphers (Bar Mitzvah)
> With CVE-2015-2808 (a.k.a. Bar Mitzvah affecting RC4 ciphers) and other recent vulnerabilities found in different ciphers / protocols, we need to be able to disable ciphers / protocols easily.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org