[ https://issues.apache.org/jira/browse/THRIFT-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James E. King III updated THRIFT-3165: -------------------------------------- Labels: Breaking-Change SSL SSLSocketFactory Security TLS (was: SSL SSLSocketFactory Security TLS) > Disable unsafe TLSv1.0 and TLSv1.1 by default > --------------------------------------------- > > Key: THRIFT-3165 > URL: https://issues.apache.org/jira/browse/THRIFT-3165 > Project: Thrift > Issue Type: Improvement > Components: C++ - Library > Affects Versions: 0.9.2 > Reporter: James E. King III > Assignee: James E. King III > Priority: Major > Labels: Breaking-Change, SSL, SSLSocketFactory, Security, TLS > > Thrift provides an SSL implementation and implements some best practices (for > example, SSLv2 and SSLv3 are disabled). The current mechanism in the C++ > library to control the protocol negotiation is unnecessarily complex. > The current behavior is to use an enumeration to set the protocol level. The > methods these call are deprecated in OpenSSL 1.1 and do not provide the > desired control. > The proposed new behavior is to: > * Remove SSLProtocol > * Require the consumer to subclass SSLContext and call SSL_CTX_set_option to > disable certain behaviors, like negotiation protocol levels. > For example the following SSLContext subclass will allow connections at > TLSv1.1 or later, whereas the default will only allow TLSv1.2 or later: > {noformat} > class CustomSSLContext : public SSLContext > { > public: > CustomSSLContext() : SSLContext() > { > // SSLContext disables SSLv2, SSLv3, TLSv1_0, and TLSv1_1 > SSL_CTX_clear_options(get(), SSL_OP_NO_TLSv1_1); > } > }; > {noformat} -- This message was sent by Atlassian JIRA (v7.6.14#76016)