Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use TLSv1 by default #259

Merged
merged 1 commit into from
Oct 21, 2014
Merged

Use TLSv1 by default #259

merged 1 commit into from
Oct 21, 2014

Conversation

michaelklishin
Copy link
Member

Fixes #258.

michaelklishin added a commit that referenced this pull request Oct 21, 2014
@michaelklishin
Merge pull request #259 from ruby-amqp/issue258
44eacb2 
Use TLSv1 by default
@michaelklishin michaelklishin merged commit 44eacb2 into master Oct 21, 2014
@carlhoerberg
Copy link
Contributor

Why not go straight to TLS 1.2?

@michaelklishin
Copy link
Member Author

Not everybody can afford running TLS 1.2. For example, if you have .NET clients using RabbitMQ, they would have to run .NET 4.5. JVM-based apps will have to use JDK 7. And so on.

@michaelklishin
Copy link
Member Author

I understand that different clients can still use earlier TLS versions but as far as recent developments (specifically POODLE) go, there is not a lot of upside to using TLS 1.2.

@carlhoerberg
Copy link
Contributor

TLS 1.0 is vulnerable to the beast attack, 1.1 and 1.2 is not.

Bunny could still default to 1.2, even if old versions of .net or jvm doesn't support it, right?

On Wednesday 22 October 2014 at 02:15, Michael Klishin wrote:

I understand that different clients can still use earlier TLS versions but as far as recent developments (specifically POODLE) go, there is not a lot of upside to using TLS 1.2.


Reply to this email directly or view it on GitHub (#259 (comment)).

@dangerp
Copy link

dangerp commented Oct 21, 2014

Why is the ssl_version even being set explicitly? OpenSSL::SSL::SSLContext will use :SSLv23 by default, which will attempt TLS, and then downgrade to SSLv3 only if TLS is not supported. See https://www.openssl.org/docs/ssl/SSL_CTX_new.html#item_SSLv23_method

@carlhoerberg
Copy link
Contributor

👍 @dangerp

@dangerp dangerp mentioned this pull request Oct 22, 2014
Closed
@dangerp
Copy link

dangerp commented Oct 22, 2014

@carlhoerberg @michaelklishin see my proposed solution in #261

@michaelklishin
Copy link
Member Author

@dangerp Ruby's OpenSSL is virtually undocumented, that's why I wasn't aware of the TLSv1 preference. Thank you.

@dangerp
Copy link

dangerp commented Oct 22, 2014

I entirely understand. I've been doing a ton of digging the past few days auditing all of the libraries that we have that use SSL, and I started out with the same solution as yours. Took me a while to figure out what the ruby OpenSSL library was doing, and even longer to figure out what the SSLv23 setting actually meant.

For those reading this too lazy to open the link above:

a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern.

This means that the server gets to decide which protocol to use. If the server supports TLSv1.2, then that is what it will likely choose to respond with.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use TLSv1 by default
3 participants
@michaelklishin @carlhoerberg @dangerp