Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
0.8, 0.9, 0.9.1, 0.9.2
Description
The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is ancient and has a serious security flaw:
http://disablessl3.com/
Currently the project uses the following default (in TSSLSocket.h):
/** * Constructor/Destructor * * @param protocol The SSL/TLS protocol to use. */ TSSLSocketFactory(const SSLProtocol& protocol = SSLTLS);
also (same file:
/**
* Wrap OpenSSL SSL_CTX into a class.
*/
class SSLContext {
public:
SSLContext(const SSLProtocol& protocol = SSLTLS);
This enumeration maps to:
enum SSLProtocol {
SSLTLS = 0, // Supports SSLv3 and TLSv1.
// SSLv2 = 1, // HORRIBLY INSECURE!
SSLv3 = 2, // Supports SSLv3 only.
TLSv1_0 = 3, // Supports TLSv1_0 only.
TLSv1_1 = 4, // Supports TLSv1_1 only.
TLSv1_2 = 5 // Supports TLSv1_2 only.
};
Recommend changing the default/minimum in Thrift to TLSv1. Add a test to prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all connect.
THRIFT-3165 takes the recommendation a step further and suggests the default should be TLS v1.2 or later, and the third party using Thrift can decide if they want to allow less-secure ciphers.
Attachments
Issue Links
- is related to
-
THRIFT-151 TSSLServerSocket and TSSLSocket implementation
-
- Closed
-
- relates to
-
-
- Open
-