[
https://issues.apache.org/jira/browse/THRIFT-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King III updated THRIFT-3165:
--------------------------------------
Labels: Breaking-Change SSL SSLSocketFactory Security TLS (was: SSL
SSLSocketFactory Security TLS)
> Disable unsafe TLSv1.0 and TLSv1.1 by default
> ---------------------------------------------
>
> Key: THRIFT-3165
> URL: https://issues.apache.org/jira/browse/THRIFT-3165
> Project: Thrift
> Issue Type: Improvement
> Components: C++ - Library
> Affects Versions: 0.9.2
> Reporter: James E. King III
> Assignee: James E. King III
> Priority: Major
> Labels: Breaking-Change, SSL, SSLSocketFactory, Security, TLS
>
> Thrift provides an SSL implementation and implements some best practices (for
> example, SSLv2 and SSLv3 are disabled). The current mechanism in the C++
> library to control the protocol negotiation is unnecessarily complex.
> The current behavior is to use an enumeration to set the protocol level. The
> methods these call are deprecated in OpenSSL 1.1 and do not provide the
> desired control.
> The proposed new behavior is to:
> * Remove SSLProtocol
> * Require the consumer to subclass SSLContext and call SSL_CTX_set_option to
> disable certain behaviors, like negotiation protocol levels.
> For example the following SSLContext subclass will allow connections at
> TLSv1.1 or later, whereas the default will only allow TLSv1.2 or later:
> {noformat}
> class CustomSSLContext : public SSLContext
> {
> public:
> CustomSSLContext() : SSLContext()
> {
> // SSLContext disables SSLv2, SSLv3, TLSv1_0, and TLSv1_1
> SSL_CTX_clear_options(get(), SSL_OP_NO_TLSv1_1);
> }
> };
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
