Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-719

Disable SSL v3 for Windows SChannel

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • proton-0.8
    • proton-0.8
    • proton-j
    • None
    • Windows

    Description

      Windows advisory:

      https://technet.microsoft.com/en-us/library/security/3009008.aspx

      See especially part 3: "Disable SSL 3.0 in Windows", but note that a similar registry setting exists for CLIENT.

      Schannel works differently from openssl: SChannel can override default protocols (in registry), but cannot override "enabled" protocols (also in registry). A user or global administrator can force AMQP 1.0 SChannel connections to succeed during protocol negotiations over SSLv3 despite Proton's best efforts.

      Possible solutions on Windows:

      1. always fail after the fact if an SSLv3 connection has actually been established

      2. succeed for SSLV3 if registry allows it, but log a warning

      3. succeed for SSLV3 only if registry allows it and env variable PROTON_SSLV3_UNSAFE=override_by_user

      Since SSLv3 is not considered secure, and there are no known legacy AMQP 1.0 that are unable to provide TLS1.0 or above, #1 seems to provide the greatest security without known inconvenience.

      Attachments

        Activity

          People

            cliffjansen Clifford Jansen
            cliffjansen Clifford Jansen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: