Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict TLS to flawless versions #4010

Closed
dorlaor opened this Issue Dec 20, 2018 · 0 comments

Comments

Projects
None yet
4 participants
@dorlaor
Copy link
Contributor

dorlaor commented Dec 20, 2018

Older TLS releases have vulnerabilities, let's disable them by default.
Could be that the default is too open:

The configuration code is here: https://github.com/scylladb/scylla/blob/bb85a21a8f748d4f1aa937b1ef596af706208ed1/conf/scylla.yaml

The string to enable TLS1.2 and prevent TLS 1.0 is:
Enabling the 128-bit secure ciphers, while disabling TLS 1.0:
"SECURE128:-VERS-TLS1.0"

@tzach tzach added the Security label Dec 21, 2018

@slivne slivne added this to the 3.1 milestone Dec 24, 2018

avikivity added a commit that referenced this issue Feb 5, 2019

tls: Use a default prio string disabling TLS1.0 forcing min 128bits
Fixes #4010

Unless user sets this explicitly, we should try explicitly avoid
deprecated protocol versions. While gnutls should do this for
connections initiated thusly, clients such as drivers etc might
use obsolete versions.

Message-Id: <20190107131513.30197-1-calle@scylladb.com>
(cherry picked from commit ba6a8ef)

avikivity pushed a commit that referenced this issue Feb 12, 2019

Calle Wilund
tls: Use a default prio string disabling TLS1.0 forcing min 128bits
Fixes #4010

Unless user sets this explicitly, we should try explicitly avoid
deprecated protocol versions. While gnutls should do this for
connections initiated thusly, clients such as drivers etc might
use obsolete versions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.