Menu
In order to secure my Thrift server against the recently discovered SSLv3 vulnerability, I explicitly stated which protocols should be enabled for the server socket:
TServerSocket socket = TSSLTransportFactory.getServerSocket(...);
SSLServerSocket sslServerSocket = (SSLServerSocket) socket.getServerSocket;
sslServerSocket.setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
However, even though a check using the TestSSLServer lists only TLSv1.1 and TLSv1.2, I'm still able to connect with OpenSSL using SSLv3:
openssl s_client -connect localhost:1111 -ssl3
How can I entirely disable SSLv3 on Thrift, so it fails during the SSL handshake already?
826
It seems I misinterpreted the openssl client output. Even though there is CONNECTED(00000003) on the first line, the error message follows:
140535757866656:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
It is, therefore, not possible to connect to the server; the code snippet presented in the question works fine.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With