[
https://issues.apache.org/jira/browse/THRIFT-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King III updated THRIFT-3165:
--------------------------------------
Description:
Thrift provides an SSL implementation and implements some best practices (for
example, SSLv2 and SSLv3 are disabled). The current mechanism in the C++
library to control the protocol negotiation is unnecessarily complex.
The current behavior is to use an enumeration to set the protocol level. The
methods these call are deprecated in OpenSSL 1.1 and do not provide the desired
control.
The proposed new behavior is to:
* Remove SSLProtocol
* Require the consumer to subclass SSLContext and call SSL_CTX_set_option to
disable certain behaviors, like negotiation protocol levels.
For example the following SSLContext subclass will ensure connections are at
TLSv1_2 or later:
{noformat}
class SSLContextOnlyTLSv12OrLater : public SSLContext
{
public:
SSLContextOnlyTLSv12OrLater() : SSLContext()
{
// SSLContext already disables SSLv2 and SSLv3
SSL_CTX_set_options(get(), SSL_OP_NO_TLSv1); // This is TLSv1_0
SSL_CTX_set_options(get(), SSL_OP_NO_TLSv1_1);
}
};
{noformat}
was:
Thrift provides an SSL implementation and implements some best practices (for
example, SSLv2 and SSLv3 are disabled). The current mechanism in the C++
library to control the protocol negotiation is unnecessarily complex.
The current behavior is to use an enumeration to set the protocol level. The
methods these call are deprecated in OpenSSL 1.1 and do not provide the desired
control.
The proposed new behavior is to:
* Remove SSLProtocol
* Require the consumer to subclass SSLContext and call SSL_CTX_set_option to
disable certain behaviors, like negotiation protocol levels.
For example the following SSLContext subclass will ensure connections are at
TLSv1_2 or later:
{noformat}
class SSLContextOnlyTLSv12OrLater : public SSLContext
{
public:
SSLContextOnlyTLSv12OrLater() : SSLContext()
{
// SSLContext already disables SSLv2 and SSLv3
SSL_CTX_set_options(ctx_, SSL_OP_NO_TLSv1); // This is TLSv1_0
SSL_CTX_set_options(ctx_, SSL_OP_NO_TLSv1_1);
}
};
{noformat}
> Remove TSSLSocket::SSLProtocol and require subclass of SSLContext to control
> TLS negotiation
> --------------------------------------------------------------------------------------------
>
> Key: THRIFT-3165
> URL: https://issues.apache.org/jira/browse/THRIFT-3165
> Project: Thrift
> Issue Type: Improvement
> Components: C++ - Library
> Affects Versions: 0.9.2
> Reporter: James E. King III
> Priority: Major
> Labels: SSL, SSLSocketFactory, Security, TLS
>
> Thrift provides an SSL implementation and implements some best practices (for
> example, SSLv2 and SSLv3 are disabled). The current mechanism in the C++
> library to control the protocol negotiation is unnecessarily complex.
> The current behavior is to use an enumeration to set the protocol level. The
> methods these call are deprecated in OpenSSL 1.1 and do not provide the
> desired control.
> The proposed new behavior is to:
> * Remove SSLProtocol
> * Require the consumer to subclass SSLContext and call SSL_CTX_set_option to
> disable certain behaviors, like negotiation protocol levels.
> For example the following SSLContext subclass will ensure connections are at
> TLSv1_2 or later:
> {noformat}
> class SSLContextOnlyTLSv12OrLater : public SSLContext
> {
> public:
> SSLContextOnlyTLSv12OrLater() : SSLContext()
> {
> // SSLContext already disables SSLv2 and SSLv3
> SSL_CTX_set_options(get(), SSL_OP_NO_TLSv1); // This is TLSv1_0
> SSL_CTX_set_options(get(), SSL_OP_NO_TLSv1_1);
> }
> };
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
