[ https://issues.apache.org/jira/browse/KYLIN-4477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
nichunen updated KYLIN-4477: ---------------------------- Sprint: Sprint 51 > Usage of "TLS" is insecure > -------------------------- > > Key: KYLIN-4477 > URL: https://issues.apache.org/jira/browse/KYLIN-4477 > Project: Kylin > Issue Type: Improvement > Reporter: Md Mahir Asef Kabir > Assignee: Md Mahir Asef Kabir > Priority: Major > Fix For: v3.1.0 > > > *Vulnerability Description:* In > “engine-mr/src/main/java/org/apache/kylin/engine/mr/common/DefaultSslProtocolSocketFactory.java” > file the following code was written in > {code:java} > private static SSLContext createEasySSLContext() > {code} > method - > {code:java} > SSLContext context = SSLContext.getInstance("TLS"); > {code} > The vulnerability is, using "TLS” as the argument to SSLContext.getInstance > method. > *Reason it’s vulnerable:* TLS 1.0 is vulnerable to man-in-the-middle attacks. > For further reference, follow > [this|https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php]. > *Suggested Fix:* Using > {code:java} > SSLContext.getInstance("TLSv1.3"). > {code} > *Feedback:* Please select any of the options down below to help us get an > idea about how you felt about the suggestion - > # Liked it and will make the suggested changes > # Liked it but happy with the existing version > # Didn’t find the suggestion helpful -- This message was sent by Atlassian Jira (v8.3.4#803005)