Github user jeking3 commented on a diff in the pull request:
https://github.com/apache/thrift/pull/1197#discussion_r101909066
--- Diff: test/secure/test_secure.bash ---
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+#
+# Checks various desired attributes in SSL/TLS implementations.
+#
+
+THRIFTHOST=localhost
+THRIFTPORT=9090
+
+while [[ $# -ge 1 ]]; do
+ arg="$1"
+ argIN=(${arg//=/ })
+
+ case ${argIN[0]} in
+ -h|--host)
+ THRIFTHOST=${argIN[1]}
+ shift # past argument
+ ;;
+ -p|--port)
+ THRIFTPORT=${argIN[1]}
+ shift # past argument
+ ;;
+ *)
+ # unknown option ignored
+ ;;
+ esac
+
+ shift # past argument or value
+done
+
+#
+# Negotiation Test Expectations
+#
+
+declare -A EXPECT_NEGOTIATE
+EXPECT_NEGOTIATE[ssl3]=0
+EXPECT_NEGOTIATE[tls1]=1
+EXPECT_NEGOTIATE[tls1_1]=1
+EXPECT_NEGOTIATE[tls1_2]=1
--- End diff --
What I'm thinking here is that nothing should allow for SSLv3 as you
suggested, however it would be acceptable for csharp and d languages to only
allow TLSv1.2, since they lack the ability to specify TLSv1.0 "or later". So I
can relax this test to say, "Accept either TLSv1.0 or later, or TLSv1.2 alone,
but never allow SSLv3". Really I could just simplify the test down to checking
that SSLv3 is not allowed and TLSv1.2 works at this point.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
