Project

General

Profile

Actions
Copy link

Bug #18593

open

radosgw/ssl: sslv3 vs. tls1

Added by Marcus Watts over 7 years ago. Updated about 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Aws last summer (https://forums.aws.amazon.com/thread.jspa?threadID=176062) turned off SSLv3 support; they only support TLS1 +.

Our current ssl support doesn't do anything special here, so it would support SSL2 +. Openssl (at least in fedora) apparently makes that be SSLv23 +. Current thinking is that TLS1 is the minimum one "should" support.

For civetweb 1.8+ (what's in master), it's possible to force TLS1+ by including "ssl_protocol_version=3" on the civetweb frontend line. Perhaps this should be the default?

For jewel - the civetweb there does not support any means of customizing this behavior - so "SSLv23+" (or whatever is hardwired into openssl).

Actions
Copy link
 #1

Updated by Yehuda Sadeh about 7 years ago

Whatever is decided, we need to make it configurable. Default should probably be TLS1.

Actions
Copy link

Also available in: Atom PDF