The TSSLSocketFactory allows for both SSLv3 and TLSv1 handshake. SSLv3 is ancient and has a serious security flaw:
Currently the project uses the following default (in TSSLSocket.h):
also (same file:
This enumeration maps to:
Recommend changing the default/minimum in Thrift to TLSv1. Add a test to prove SSLv3 client cannot connect by default, and that TLSv1_0, _1, and _2 can all connect.
THRIFT-3165 takes the recommendation a step further and suggests the default should be TLS v1.2 or later, and the third party using Thrift can decide if they want to allow less-secure ciphers.