Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3165

Disable unsafe TLSv1.0 and TLSv1.1 by default

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

      Description

      Thrift provides an SSL implementation and implements some best practices (for example, SSLv2 and SSLv3 are disabled). The current mechanism in the C++ library to control the protocol negotiation is unnecessarily complex.

      The current behavior is to use an enumeration to set the protocol level. The methods these call are deprecated in OpenSSL 1.1 and do not provide the desired control.

      The proposed new behavior is to:

      • Remove SSLProtocol
      • Require the consumer to subclass SSLContext and call SSL_CTX_set_option to disable certain behaviors, like negotiation protocol levels.

      For example the following SSLContext subclass will allow connections at TLSv1.1 or later, whereas the default will only allow TLSv1.2 or later:

      class CustomSSLContext : public SSLContext
      {
        public:
          CustomSSLContext() : SSLContext()
          {
              // SSLContext disables SSLv2, SSLv3, TLSv1_0, and TLSv1_1
              SSL_CTX_clear_options(get(), SSL_OP_NO_TLSv1_1);
          }
      };
      

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              jking3 James E. King III
              Reporter:
              jking3 James E. King III

              Dates

              • Created:
                Updated:

                Issue deployment