Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-20893

Ambari should disable old/insecure SSL/TLS protocols by default

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Duplicate
    • None
    • None
    • ambari-server
    • None

    Description

      By default these protocols are enabled in Ambari when using SSL/TLS:

      • SSL 2
      • SSL 3
      • TLS 1.0
      • TLS 1.1
      • TLS 1.2

      Yes they can be disabled but a user needs to do that. Both SSL 2 and SSL 3 have been officially deprecated and I think it's really bad that we ship with them enabled by default. TLS 1 is prohibited by PCI standards but has not been officially deprecated I think.

      So I propose to change the default value of `security.server.disabled.protocols` to include at least SSL2 & 3.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. AMBARI-20545 Remove the use of legacy SSL and TLS protocol versions

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              larsfrancke Lars Francke
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: