[jira] [Commented] (THRIFT-4084) Improve SSL security in thrift by adding a make cross client that checks to make sure SSLv3 protocol cannot be negotiated

Sat, 18 Feb 2017 21:44:09 -0800 

    [ 
https://issues.apache.org/jira/browse/THRIFT-4084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873499#comment-15873499
 ] 

ASF GitHub Bot commented on THRIFT-4084:
----------------------------------------

Github user nsuke commented on a diff in the pull request:

    https://github.com/apache/thrift/pull/1197#discussion_r101909373
  
    --- Diff: test/secure/test_secure.bash ---
    @@ -0,0 +1,69 @@
    +#!/bin/bash
    +
    +#
    +# Checks various desired attributes in SSL/TLS implementations.
    +#
    +
    +THRIFTHOST=localhost
    +THRIFTPORT=9090
    +
    +while [[ $# -ge 1 ]]; do
    +  arg="$1"
    +  argIN=(${arg//=/ })
    +
    +  case ${argIN[0]} in
    +    -h|--host)
    +    THRIFTHOST=${argIN[1]}
    +    shift # past argument
    +    ;;
    +    -p|--port)
    +    THRIFTPORT=${argIN[1]}
    +    shift # past argument
    +    ;;
    +    *)
    +          # unknown option ignored
    +    ;;
    +  esac
    +
    +  shift   # past argument or value
    +done
    +
    +#
    +# Negotiation Test Expectations
    +#
    +
    +declare -A EXPECT_NEGOTIATE
    +EXPECT_NEGOTIATE[ssl3]=0
    +EXPECT_NEGOTIATE[tls1]=1
    +EXPECT_NEGOTIATE[tls1_1]=1
    +EXPECT_NEGOTIATE[tls1_2]=1
    --- End diff --
    
    Sounds reasonable to me.


> Improve SSL security in thrift by adding a make cross client that checks to 
> make sure SSLv3 protocol cannot be negotiated
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4084
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4084
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Test Suite
>    Affects Versions: 0.10.0
>         Environment: Ubuntu Dockerfile
>            Reporter: James E. King, III
>            Assignee: James E. King, III
>              Labels: cross-validation, security, ssl, tls
>
> Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in 
> the backlog, I want to add a make cross "language" which isn't a language at 
> all, but a test that checks to see if it is possible to negotiate at various 
> SSL/TLS protocol versions.  This would be a client-only test, likely just a 
> bash script that leverages the openssl client and command line options to 
> connect to a test server and see if it handshakes and negotiates protocol 
> successfully.
> Without THRIFT-3165 implemented, it will ensure:
> * Can handshake using the universal SSLv23 context, however cannot negotiate 
> SSLv3
> * Can negotiate TLSv1.0, TLSv1.1, and TLSv1.2
> With THRIFT-3165 it needs to change to ensure:
> * Can handshake using TLSv1.2 but not any other version
> The solution I came up with was to add a new client called "secure" to make 
> crosstest.  test_secure is a simple bash script that checks the appropriate 
> rules above (the ones without THRIFT-3165, since it is not done), and I added 
> "secure" to the list of cross test "languages" in the top level configure 
> script.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to