Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3164

Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation

    XMLWordPrintableJSON

    Details

      Description

      The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is ancient and has a serious security flaw:
      http://disablessl3.com/

      Currently the project uses the following default (in TSSLSocket.h):

        /**
         * Constructor/Destructor
         *
         * @param protocol The SSL/TLS protocol to use.
         */
        TSSLSocketFactory(const SSLProtocol& protocol = SSLTLS);
      

      also (same file:

      /**
       * Wrap OpenSSL SSL_CTX into a class.
       */
      class SSLContext {
      public:
        SSLContext(const SSLProtocol& protocol = SSLTLS);
      

      This enumeration maps to:

      enum SSLProtocol {
        SSLTLS = 0, // Supports SSLv3 and TLSv1.
        // SSLv2		= 1,	// HORRIBLY INSECURE!
        SSLv3 = 2,   // Supports SSLv3 only.
        TLSv1_0 = 3, // Supports TLSv1_0 only.
        TLSv1_1 = 4, // Supports TLSv1_1 only.
        TLSv1_2 = 5  // Supports TLSv1_2 only.
      };
      

      Recommend changing the default/minimum in Thrift to TLSv1. Add a test to prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all connect.

      THRIFT-3165 takes the recommendation a step further and suggests the default should be TLS v1.2 or later, and the third party using Thrift can decide if they want to allow less-secure ciphers.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jking3 James E. King III
                Reporter:
                jking3 James E. King III
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: