qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Stitcher (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PROTON-1670) Configurable TLS versions
Date Fri, 10 Nov 2017 16:51:00 GMT

    [ https://issues.apache.org/jira/browse/PROTON-1670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247760#comment-16247760

Andrew Stitcher commented on PROTON-1670:

To be clear this work item is adding an API to proton-c that configures which of the TLSv1.0,
TLSv1.1 TLSv1.2 protocols are enabled.

The underlying API from OpenSSL for this is rather different from the one for configuring

There are option flags {{SSL_OP_NO_TLSv1}} {{SSL_OP_NO_TLSv1_1}} {{SSL_OP_NO_TLSv1_2}} which
can be passed to {{SSL_CTX_set_options()}} to turn each protocol off individually -- The implementation
already turns off all the SSL versions anyway for security reasons.

So we could take a string like the {{pn_ssl_domain_set_ciphers()}} and decompose the string
into the underlying flags -- this is probably most consonant with the other API; or we could
have separate individual APIs to disable each unwanted protocol version viz {{pn_ssl_domain_disable_tls10()}}
{{pn_ssl_domain_disable_tls11()}} {{pn_ssl_domain_disable_tls12()}}. But this isn't very future
proof, needing a new API for each protocol version (although they won't actually get added
very fast); finally we could use a similar API to OpenSSL and use option flags -- probably
renamed with a PN_SSL_ prefix.

> Configurable TLS versions
> -------------------------
>                 Key: PROTON-1670
>                 URL: https://issues.apache.org/jira/browse/PROTON-1670
>             Project: Qpid Proton
>          Issue Type: New Feature
>          Components: proton-c
>    Affects Versions: proton-c-0.17.0
>            Reporter: Justin Ross
>            Assignee: Andrew Stitcher
>              Labels: api, tls
>             Fix For: proton-c-0.19.0
> This link has examples of what httpd and nignx offer:
> https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message