Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

change default value for `--ssl.protocol` from 4 (TLSv1) to 5 (TLSv12)

This commit is contained in:
jsteemann 2017-04-21 12:49:16 +02:00
parent 691dac7a73
commit 9d6277689c
7 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@ -1,6 +1,8 @@
devel devel
----- -----
* set default value for `--ssl.protocol` from TLSv1 to TLSv1.2.
* AQL breaking change in cluster: * AQL breaking change in cluster:
The SHORTEST_PATH statement using edge-collection names instead The SHORTEST_PATH statement using edge-collection names instead
of a graph name now requires to explicitly name the vertex-collection names of a graph name now requires to explicitly name the vertex-collection names

8
Documentation/Books/Manual/Administration/Configuration/SSL.mdpp
View File

@ -90,14 +90,12 @@ Use this option to specify the default encryption protocol to be used. The
following variants are available: following variants are available:
- 1: SSLv2 - 1: SSLv2
- 2: SSLv23 - 2: SSLv2 or SSLv3 (negotiated)
- 3: SSLv3 - 3: SSLv3
- 4: TLSv1 - 4: TLSv1
- 5: TLSv1.2 (recommended) - 5: TLSv1.2
The default *value* is 4 (i.e. TLSv1). If available, set it to 5 (i.e. TLSv1.2), The default *value* is 5 (TLSv1.2).
because lower protocol versions are known to be vulnerable to POODLE attack
variants.
### SSL cache ### SSL cache

6
Documentation/DocuBlocks/serverSSLProtocol.md
View File

@ -6,12 +6,12 @@
Use this option to specify the default encryption protocol to be used. Use this option to specify the default encryption protocol to be used.
The following variants are available: The following variants are available:
- 1: SSLv2 - 1: SSLv2
- 2: SSLv23 - 2: SSLv2 or SSLv3 (negotiated)
- 3: SSLv3 - 3: SSLv3
- 4: TLSv1 - 4: TLSv1
- 5: TLSv1.2 (recommended) - 5: TLSv1.2
The default *value* is 4 (i.e. TLSv1). The default *value* is 5 (TLSv1.2).
**Note**: this option is only relevant if at least one SSL endpoint is **Note**: this option is only relevant if at least one SSL endpoint is
used. used.

7
arangosh/Shell/ClientFeature.cpp
View File

@ -30,6 +30,7 @@
#include "Shell/ConsoleFeature.h" #include "Shell/ConsoleFeature.h"
#include "SimpleHttpClient/GeneralClientConnection.h" #include "SimpleHttpClient/GeneralClientConnection.h"
#include "SimpleHttpClient/SimpleHttpClient.h" #include "SimpleHttpClient/SimpleHttpClient.h"
#include "Ssl/ssl-helper.h"
using namespace arangodb; using namespace arangodb;
using namespace arangodb::application_features; using namespace arangodb::application_features;
@ -47,7 +48,7 @@ ClientFeature::ClientFeature(application_features::ApplicationServer* server,
_connectionTimeout(connectionTimeout), _connectionTimeout(connectionTimeout),
_requestTimeout(requestTimeout), _requestTimeout(requestTimeout),
_maxPacketSize(128 * 1024 * 1024), _maxPacketSize(128 * 1024 * 1024),
_sslProtocol(4), _sslProtocol(TLS_V12),
_retries(DEFAULT_RETRIES), _retries(DEFAULT_RETRIES),
_warn(false), _warn(false),
_haveServerPassword(false){ _haveServerPassword(false){
@ -98,8 +99,8 @@ void ClientFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {
options->addSection("ssl", "Configure SSL communication"); options->addSection("ssl", "Configure SSL communication");
options->addOption("--ssl.protocol", options->addOption("--ssl.protocol",
"ssl protocol (1 = SSLv2, 2 = SSLv23, 3 = SSLv3, 4 = " "ssl protocol (1 = SSLv2, 2 = SSLv2 or SSLv3 (negotiated), 3 = SSLv3, 4 = "
"TLSv1, 5 = TLSV1.2 (recommended)", "TLSv1, 5 = TLSV1.2)",
new DiscreteValuesParameter<UInt64Parameter>( new DiscreteValuesParameter<UInt64Parameter>(
&_sslProtocol, sslProtocols)); &_sslProtocol, sslProtocols));
} }

6
lib/Ssl/SslServerFeature.cpp
View File

@ -75,8 +75,8 @@ void SslServerFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {
std::unordered_set<uint64_t> sslProtocols = {1, 2, 3, 4, 5}; std::unordered_set<uint64_t> sslProtocols = {1, 2, 3, 4, 5};
options->addOption("--ssl.protocol", options->addOption("--ssl.protocol",
"ssl protocol (1 = SSLv2, 2 = SSLv23, 3 = SSLv3, 4 = " "ssl protocol (1 = SSLv2, 2 = SSLv2 or SSLv3 (negotiated), 3 = SSLv3, 4 = "
"TLSv1, 5 = TLSV1.2 (recommended))", "TLSv1, 5 = TLSv1.2)",
new DiscreteValuesParameter<UInt64Parameter>( new DiscreteValuesParameter<UInt64Parameter>(
&_sslProtocol, sslProtocols)); &_sslProtocol, sslProtocols));
@ -129,7 +129,7 @@ void SslServerFeature::verifySslOptions() {
LOG_TOPIC(DEBUG, arangodb::Logger::SSL) LOG_TOPIC(DEBUG, arangodb::Logger::SSL)
<< "using SSL protocol version '" << "using SSL protocol version '"
<< protocolName((protocol_e)_sslProtocol) << "'"; << protocolName(protocol_e(_sslProtocol)) << "'";
if (!FileUtils::exists(_keyfile)) { if (!FileUtils::exists(_keyfile)) {
LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "unable to find SSL keyfile '" LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "unable to find SSL keyfile '"

2
lib/Ssl/SslServerFeature.h
View File

@ -55,7 +55,7 @@ class SslServerFeature : public application_features::ApplicationFeature {
std::string _keyfile; std::string _keyfile;
bool _sessionCache = false; bool _sessionCache = false;
std::string _cipherList; std::string _cipherList;
uint64_t _sslProtocol = TLS_V1; uint64_t _sslProtocol = TLS_V12;
uint64_t _sslOptions = uint64_t _sslOptions =
(long)(SSL_OP_TLS_ROLLBACK_BUG | SSL_OP_CIPHER_SERVER_PREFERENCE); (long)(SSL_OP_TLS_ROLLBACK_BUG | SSL_OP_CIPHER_SERVER_PREFERENCE);
std::string _ecdhCurve; std::string _ecdhCurve;

2
lib/V8/v8-utils.cpp
View File

@ -661,7 +661,7 @@ void JS_Download(v8::FunctionCallbackInfo<v8::Value> const& args) {
rest::RequestType method = rest::RequestType::GET; rest::RequestType method = rest::RequestType::GET;
bool returnBodyOnError = false; bool returnBodyOnError = false;
int maxRedirects = 5; int maxRedirects = 5;
uint64_t sslProtocol = TLS_V1; uint64_t sslProtocol = TLS_V12;
if (args.Length() > 2) { if (args.Length() > 2) {
if (!args[2]->IsObject()) { if (!args[2]->IsObject()) {