Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-20545

Remove the use of legacy SSL and TLS protocol versions

    XMLWordPrintableJSON

Details

    Description

      I notice that the explicit enabling of various protocols still includes SSLv2Hello and SSLv3, which are severely broken protocols with numerous known vulnerabilities and not necessary for legacy compatibility. Even TLSv1 and TLSv1.1 have been discouraged since February 2014, when all modern browsers supported TLSv1.2. Is there any reason Ambari still needs to enable support for these legacy protocols, and are there any other mitigating controls put in place to prevent downgrade, brute force, padding oracle, and weak parameter attacks against these protocols? Thanks.

      Attachments

        Issue Links

          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. AMBARI-20893 Ambari should disable old/insecure SSL/TLS protocols by default

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. AMBARI-18910 SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            People

              rlevas Robert Levas
              alopresto Andy LoPresto
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: