change default value for `--ssl.protocol` from 4 (TLSv1) to 5 (TLSv12)

2017-04-21 12:49:16 +02:00 · 2017-04-21 12:49:16 +02:00 · 9d6277689c
parent 691dac7a73
commit 9d6277689c
7 changed files with 17 additions and 16 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 devel
 -----

+* set default value for `--ssl.protocol` from TLSv1 to TLSv1.2.
+
 * AQL breaking change in cluster:
  The SHORTEST_PATH statement using edge-collection names instead
  of a graph name now requires to explicitly name the vertex-collection names 
--- a/Documentation/Books/Manual/Administration/Configuration/SSL.mdpp
+++ b/Documentation/Books/Manual/Administration/Configuration/SSL.mdpp
@ -90,14 +90,12 @@ Use this option to specify the default encryption protocol to be used.  The
 following variants are available:

 - 1: SSLv2
- 2: SSLv23
+- 2: SSLv2 or SSLv3 (negotiated)
 - 3: SSLv3
 - 4: TLSv1
- 5: TLSv1.2 (recommended)
+- 5: TLSv1.2

-The default *value* is 4 (i.e. TLSv1). If available, set it to 5 (i.e. TLSv1.2),
-because lower protocol versions are known to be vulnerable to POODLE attack
-variants.
+The default *value* is 5 (TLSv1.2).

 ### SSL cache

--- a/Documentation/DocuBlocks/serverSSLProtocol.md
+++ b/Documentation/DocuBlocks/serverSSLProtocol.md
@ -6,12 +6,12 @@
 Use this option to specify the default encryption protocol to be used.
 The following variants are available:
 - 1: SSLv2
- 2: SSLv23
+- 2: SSLv2 or SSLv3 (negotiated)
 - 3: SSLv3
 - 4: TLSv1
- 5: TLSv1.2 (recommended)
+- 5: TLSv1.2

-The default *value* is 4 (i.e. TLSv1).
+The default *value* is 5 (TLSv1.2).

 **Note**: this option is only relevant if at least one SSL endpoint is
 used.
--- a/arangosh/Shell/ClientFeature.cpp
+++ b/arangosh/Shell/ClientFeature.cpp
@ -30,6 +30,7 @@
 #include "Shell/ConsoleFeature.h"
 #include "SimpleHttpClient/GeneralClientConnection.h"
 #include "SimpleHttpClient/SimpleHttpClient.h"
+#include "Ssl/ssl-helper.h"

 using namespace arangodb;
 using namespace arangodb::application_features;
@ -47,7 +48,7 @@ ClientFeature::ClientFeature(application_features::ApplicationServer* server,
      _connectionTimeout(connectionTimeout),
      _requestTimeout(requestTimeout),
      _maxPacketSize(128 * 1024 * 1024),
-      _sslProtocol(4),
+      _sslProtocol(TLS_V12),
      _retries(DEFAULT_RETRIES),
      _warn(false),
      _haveServerPassword(false){
@ -98,8 +99,8 @@ void ClientFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {

  options->addSection("ssl", "Configure SSL communication");
  options->addOption("--ssl.protocol",
-                     "ssl protocol (1 = SSLv2, 2 = SSLv23, 3 = SSLv3, 4 = "
-                     "TLSv1, 5 = TLSV1.2 (recommended)",
+                     "ssl protocol (1 = SSLv2, 2 = SSLv2 or SSLv3 (negotiated), 3 = SSLv3, 4 = "
+                     "TLSv1, 5 = TLSV1.2)",
                     new DiscreteValuesParameter<UInt64Parameter>(
                         &_sslProtocol, sslProtocols));
 }
--- a/lib/Ssl/SslServerFeature.cpp
+++ b/lib/Ssl/SslServerFeature.cpp
@ -75,8 +75,8 @@ void SslServerFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {
  std::unordered_set<uint64_t> sslProtocols = {1, 2, 3, 4, 5};

  options->addOption("--ssl.protocol",
-                     "ssl protocol (1 = SSLv2, 2 = SSLv23, 3 = SSLv3, 4 = "
-                     "TLSv1, 5 = TLSV1.2 (recommended))",
+                     "ssl protocol (1 = SSLv2, 2 = SSLv2 or SSLv3 (negotiated), 3 = SSLv3, 4 = "
+                     "TLSv1, 5 = TLSv1.2)",
                     new DiscreteValuesParameter<UInt64Parameter>(
                         &_sslProtocol, sslProtocols));

@ -129,7 +129,7 @@ void SslServerFeature::verifySslOptions() {

  LOG_TOPIC(DEBUG, arangodb::Logger::SSL)
      << "using SSL protocol version '"
-      << protocolName((protocol_e)_sslProtocol) << "'";
+      << protocolName(protocol_e(_sslProtocol)) << "'";

  if (!FileUtils::exists(_keyfile)) {
    LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "unable to find SSL keyfile '"
--- a/lib/Ssl/SslServerFeature.h
+++ b/lib/Ssl/SslServerFeature.h
@ -55,7 +55,7 @@ class SslServerFeature : public application_features::ApplicationFeature {
  std::string _keyfile;
  bool _sessionCache = false;
  std::string _cipherList;
-  uint64_t _sslProtocol = TLS_V1;
+  uint64_t _sslProtocol = TLS_V12;
  uint64_t _sslOptions =
      (long)(SSL_OP_TLS_ROLLBACK_BUG | SSL_OP_CIPHER_SERVER_PREFERENCE);
  std::string _ecdhCurve;
--- a/lib/V8/v8-utils.cpp
+++ b/lib/V8/v8-utils.cpp
@ -661,7 +661,7 @@ void JS_Download(v8::FunctionCallbackInfo<v8::Value> const& args) {
  rest::RequestType method = rest::RequestType::GET;
  bool returnBodyOnError = false;
  int maxRedirects = 5;
-  uint64_t sslProtocol = TLS_V1;
+  uint64_t sslProtocol = TLS_V12;

  if (args.Length() > 2) {
    if (!args[2]->IsObject()) {