You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/12/10 16:55:00 UTC

[jira] [Commented] (NIFI-7913) ListenSMTP Allows TLS 1.0 and 1.1 Regardless of TLS Protocol Configured

    [ https://issues.apache.org/jira/browse/NIFI-7913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17247360#comment-17247360 ] 

ASF subversion and git services commented on NIFI-7913:
-------------------------------------------------------

Commit 7bff64b3cf37700407a51d896d0349853eaed733 in nifi's branch refs/heads/main from exceptionfactory
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=7bff64b ]

NIFI-7913 Added getEnabledProtocols() to TlsConfiguration and updated ListenSMTP to set enabled protocols on SSL Sockets

NIFI-7913 Changed order of supported protocols to match existing comments in SSLContextService

This closes #4599

Signed-off-by: Nathan Gough <th...@gmail.com>


> ListenSMTP Allows TLS 1.0 and 1.1 Regardless of TLS Protocol Configured
> -----------------------------------------------------------------------
>
>                 Key: NIFI-7913
>                 URL: https://issues.apache.org/jira/browse/NIFI-7913
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: 1.12.0
>         Environment: Fedora 32
> OpenJDK 1.8.0_265
> OpenJDK 11.0.8
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>              Labels: SMTP, TLS, security
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> ListenSMTP supports TLS communication using a configurable RestrictedSSLContextService as of NIFI-4335.  Regardless of setting the _TLS Protocol_ property to _TLS_ or a specific TLS version, ListenSMTP accepts TLS communication using TLS 1.0 or TLS 1.1 in addition to TLS 1.2, or TLS 1.3 under Java 11.
> This can be reproduced at runtime by configuring ListenSMTP with a StandardRestrictedSSLContextService and using the following OpenSSL command to run the STARTTLS command.
> For TLS 1.0:
> openssl s_client -host localhost -port 2525 -starttls smtp tls1
> For TLS 1.1:
> openssl s_client -host localhost -port 2525 -starttls smtp tls1_1
> The response output should include the negotiated cipher and SSL Session-ID.
> This can also be reproduced in unit tests by specifying the _mail.smtp.ssl.protocols_ property with either _TLSv1_ or _TLSv1.1_ when configuring the Java Mail Session.
> Setting specific enabled protocols on the created SSLSocket should disable legacy TLS protocols.  Resolution should include support for either a specific TLS version, or secure TLS versions based on the runtime Java version.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)