Bug #18593
openradosgw/ssl: sslv3 vs. tls1
0%
Description
Aws last summer (https://forums.aws.amazon.com/thread.jspa?threadID=176062) turned off SSLv3 support; they only support TLS1 +.
Our current ssl support doesn't do anything special here, so it would support SSL2 +. Openssl (at least in fedora) apparently makes that be SSLv23 +. Current thinking is that TLS1 is the minimum one "should" support.
For civetweb 1.8+ (what's in master), it's possible to force TLS1+ by including "ssl_protocol_version=3" on the civetweb frontend line. Perhaps this should be the default?
For jewel - the civetweb there does not support any means of customizing this behavior - so "SSLv23+" (or whatever is hardwired into openssl).
Updated by Yehuda Sadeh about 7 years ago
Whatever is decided, we need to make it configurable. Default should probably be TLS1.