Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Duplicate
-
None
-
None
-
None
Description
By default these protocols are enabled in Ambari when using SSL/TLS:
- SSL 2
- SSL 3
- TLS 1.0
- TLS 1.1
- TLS 1.2
Yes they can be disabled but a user needs to do that. Both SSL 2 and SSL 3 have been officially deprecated and I think it's really bad that we ship with them enabled by default. TLS 1 is prohibited by PCI standards but has not been officially deprecated I think.
So I propose to change the default value of `security.server.disabled.protocols` to include at least SSL2 & 3.
Attachments
Issue Links
- duplicates
-
AMBARI-20545 Remove the use of legacy SSL and TLS protocol versions
- Open