当前位置: 动力学知识库 > 问答 > 编程问答 >

java - Securing a Thrift server aginst the POODLE SSL vulnerability

问题描述:

In order to secure my Thrift server against the recently discovered SSLv3 vulnerability, I explicitly stated which protocols should be enabled for the server socket:

TServerSocket socket = TSSLTransportFactory.getServerSocket(...);

SSLServerSocket sslServerSocket = (SSLServerSocket) socket.getServerSocket;

sslServerSocket.setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});

However, even though a check using the TestSSLServer lists only TLSv1.1 and TLSv1.2, I'm still able to connect with OpenSSL using SSLv3:

openssl s_client -connect localhost:1111 -ssl3

How can I entirely disable SSLv3 on Thrift, so it fails during the SSL handshake already?

网友答案:

It seems I misinterpreted the openssl client output. Even though there is CONNECTED(00000003) on the first line, the error message follows:

140535757866656:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

It is, therefore, not possible to connect to the server; the code snippet presented in the question works fine.

分享给朋友:
您可能感兴趣的文章:
随机阅读: