ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nikhil Purbhe (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2131) Ranger UserSync port (ie 5151) supports TLSv1.0
Date Fri, 15 Jun 2018 11:59:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Nikhil Purbhe updated RANGER-2131:
    Attachment: RANGER-2131.patch

> Ranger UserSync port (ie 5151) supports TLSv1.0
> -----------------------------------------------
>                 Key: RANGER-2131
>                 URL: https://issues.apache.org/jira/browse/RANGER-2131
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Assignee: Nikhil Purbhe
>            Priority: Major
>              Labels: security
>             Fix For: 1.1.0
>         Attachments: RANGER-2131.patch
> TLS is capable of using a multitude of ciphers (algorithms) to create the public and
private key pairs.
> For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
> RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE
> TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which
a TLS implementation can downgrade the connection to
> SSL v3.0, thus weakening security.
> A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack
could also be launched directly at TLS without negotiating a
> downgrade.
> This QID will be marked as a Fail for PCI as of May 1st, 2017 in accordance with the
new standards. For existing implementations, Merchants will
> be able to submit a PCI False Positive / Exception Request and provide proof of their
Risk Mitigation and Migration Plan, which will result in a pass
> for PCI up until June 30th, 2018.
> Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS
v1.1 ([https://community.qualys.com/message/34120])
> An attacker can exploit cryptographic flaws to conduct man-in-the-middle type attacks
or to decryption communications.
> For example: An attacker could force a downgrade from the TLS protocol to the older SSLv3.0
protocol and exploit the POODLE vulnerability, read
> secure communications or maliciously modify messages.
> A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack
could also be launched directly at TLS without negotiating a
> downgrade.
> Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol
such as TLSv1.2.
> The following openssl commands can be used
> to do a manual test:
> openssl s_client -connect ip:port -tls1
> If the test is successful, then the target support TLSv1

This message was sent by Atlassian JIRA

View raw message