New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make TLSv1.2 the default #417

Merged
merged 2 commits into from Apr 9, 2018

Conversation

Projects
None yet
2 participants
@ctubbsii
Member

ctubbsii commented Apr 6, 2018

When Accumulo's RPC is configured for SSL/TLS, the client connections
will choose TLSv1.2 by default (instead of TLSv1 or TLSv1.1).

Make TLSv1.2 the default for ssl-enabled clients
When Accumulo's RPC is configured for SSL/TLS, the client connections
will choose TLSv1.2 by default (instead of TLSv1 or TLSv1.1).

@ctubbsii ctubbsii self-assigned this Apr 6, 2018

@ctubbsii

This comment has been minimized.

Member

ctubbsii commented Apr 6, 2018

I added a second commit which instructs the server-side to use TLS 1.2 by default, also. As I understand it, there's a few well-known downgrade attacks for 1.1 and 1.0, that we should avoid. Since we maintain the code for both client and server, there's no reason we shouldn't use 1.2 by default. It is still configurable, if users need something else.

@ctubbsii ctubbsii requested review from PircDef and keith-turner Apr 6, 2018

@ctubbsii ctubbsii changed the title from Make TLSv1.2 the default for ssl-enabled clients to Make TLSv1.2 the default Apr 6, 2018

@PircDef

PircDef approved these changes Apr 9, 2018

@PircDef

This comment has been minimized.

Contributor

PircDef commented Apr 9, 2018

Is there an intent to remove ProtocolOverridingSSLSocketFactory as well?

@ctubbsii

This comment has been minimized.

Member

ctubbsii commented Apr 9, 2018

@PircDef Maybe... that would be a bigger change, and more testing to ensure correctness. This is a simple configuration defaults change vs. changing currently functioning code.

@ctubbsii ctubbsii merged commit e059c54 into apache:1.8 Apr 9, 2018

2 checks passed

Jenkins This pull request looks good
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@ctubbsii ctubbsii deleted the ctubbsii:client-tls12-default branch Apr 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment