qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Stitcher (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PROTON-1670) Configurable TLS versions
Date Fri, 10 Nov 2017 16:57:02 GMT

    [ https://issues.apache.org/jira/browse/PROTON-1670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247769#comment-16247769
] 

Andrew Stitcher commented on PROTON-1670:
-----------------------------------------

A separate issue is what to do if/how to prevent disabling *all* the TLS protocols:
* Could just do it and not be able to communicate.
* Could just return an error - and ignore the setting? Ignoring might be worse as then all
the protocols are allowed
* Could ignore the flag for the latest protocol (1.2 currently) so that communication isn't
stopped.
* Don't supply a way to disable the latest (1.2 currently) version -- assuming it must be
the most secure.

Maybe a better way to deal with this is to make the API a positive API telling which protocols
to use rather than which ones to disable. This will avoid the whole problem.


> Configurable TLS versions
> -------------------------
>
>                 Key: PROTON-1670
>                 URL: https://issues.apache.org/jira/browse/PROTON-1670
>             Project: Qpid Proton
>          Issue Type: New Feature
>          Components: proton-c
>    Affects Versions: proton-c-0.17.0
>            Reporter: Justin Ross
>            Assignee: Andrew Stitcher
>              Labels: api, tls
>             Fix For: proton-c-0.19.0
>
>
> This link has examples of what httpd and nignx offer:
> https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message