ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nikhil Purbhe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-2131) Ranger UserSync port (ie 5151) supports TLSv1.0
Date Thu, 14 Jun 2018 12:42:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-2131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16512417#comment-16512417
] 

Nikhil Purbhe commented on RANGER-2131:
---------------------------------------

[~toopt4]   It will be good if we let the user customize the SSL/TLS protocols from the
property file.

for this, the user has to provide the desired list of protocols(comma separated) he wants
to support using the ranger-usersync-default.xml file.

 eg: 
{code:java}
<property>
<name>ranger.usersync.https.ssl.enabled.protocols</name>
<value>TLSv1.1, TLSv1.2</value>
</property>{code}
If that property is not specified, the default set of protocols will be supported.

I will be attaching the patch to support above behavior.

> Ranger UserSync port (ie 5151) supports TLSv1.0
> -----------------------------------------------
>
>                 Key: RANGER-2131
>                 URL: https://issues.apache.org/jira/browse/RANGER-2131
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Assignee: Nikhil Purbhe
>            Priority: Major
>              Labels: security
>             Fix For: 1.1.0
>
>
> THREAT:
> TLS is capable of using a multitude of ciphers (algorithms) to create the public and
private key pairs.
> For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
> RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE
attack.
> TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which
a TLS implementation can downgrade the connection to
> SSL v3.0, thus weakening security.
> A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack
could also be launched directly at TLS without negotiating a
> downgrade.
> This QID will be marked as a Fail for PCI as of May 1st, 2017 in accordance with the
new standards. For existing implementations, Merchants will
> be able to submit a PCI False Positive / Exception Request and provide proof of their
Risk Mitigation and Migration Plan, which will result in a pass
> for PCI up until June 30th, 2018.
> Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS
v1.1 ([https://community.qualys.com/message/34120])
> IMPACT:
> An attacker can exploit cryptographic flaws to conduct man-in-the-middle type attacks
or to decryption communications.
> For example: An attacker could force a downgrade from the TLS protocol to the older SSLv3.0
protocol and exploit the POODLE vulnerability, read
> secure communications or maliciously modify messages.
> A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack
could also be launched directly at TLS without negotiating a
> downgrade.
> SOLUTION:
> Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol
such as TLSv1.2.
> The following openssl commands can be used
> to do a manual test:
> openssl s_client -connect ip:port -tls1
> If the test is successful, then the target support TLSv1
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message