You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/10/28 20:48:33 UTC

[jira] [Commented] (QPID-6187) Disable SSL v3 for Windows SChannel

    [ https://issues.apache.org/jira/browse/QPID-6187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14187354#comment-14187354 ] 

ASF subversion and git services commented on QPID-6187:
-------------------------------------------------------

Commit 1634961 from cliffjansen@apache.org in branch 'qpid/trunk'
[ https://svn.apache.org/r1634961 ]

QPID-6187: Disable SSL v3 for Windows SChannel

> Disable SSL v3 for Windows SChannel
> -----------------------------------
>
>                 Key: QPID-6187
>                 URL: https://issues.apache.org/jira/browse/QPID-6187
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Client
>         Environment: windows
>            Reporter: Cliff Jansen
>            Assignee: Cliff Jansen
>             Fix For: 0.31
>
>
> Using same fix as in https://issues.apache.org/jira/browse/PROTON-719
> Windows advisory:
> https://technet.microsoft.com/en-us/library/security/3009008.aspx
> See especially part 3: "Disable SSL 3.0 in Windows", but note that a similar registry setting exists for CLIENT.
> Schannel works differently from openssl: SChannel can override default protocols (in registry), but cannot override "enabled" protocols (also in registry). A user or global administrator can force AMQP 1.0 SChannel connections to succeed during protocol negotiations over SSLv3 despite Proton's best efforts.
> Possible solutions on Windows:
> 1. always fail after the fact if an SSLv3 connection has actually been established
> 2. succeed for SSLV3 if registry allows it, but log a warning
> 3. succeed for SSLV3 only if registry allows it and env variable PROTON_SSLV3_UNSAFE=override_by_user
> Since SSLv3 is not considered secure, and there are no known legacy AMQP 1.0 that are unable to provide TLS1.0 or above, #1 seems to provide the greatest security without known inconvenience.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org