Thrift Server Protection Against POODLE SSL Vulnerability

Question

Thrift Server Protection Against POODLE SSL Vulnerability

To protect my Thrift server from a recently discovered SSLv3 vulnerability, I explicitly indicated which protocols should be enabled for the server socket:

TServerSocket socket = TSSLTransportFactory.getServerSocket(...); SSLServerSocket sslServerSocket = (SSLServerSocket) socket.getServerSocket; sslServerSocket.setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});

However, although testing with TestSSLServer only contains TLSv1.1 and TLSv1.2, I can still connect with OpenSSL using SSLv3:

 openssl s_client -connect localhost:1111 -ssl3

How can I completely disable SSLv3 in Thrift, so it no longer works during SSL connection establishment?

+6

java security ssl thrift

semberal Oct 15 '14 at 16:06

source share

1 answer

semberal · Accepted Answer · 2014-10-20T14:43:03+0000

It seems I misinterpreted the output of the openssl client. Although the error message appears on the first line of CONNECTED(00000003) :

 140535757866656:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

Therefore, it is not possible to connect to the server; The code snippet presented in the question works fine.

Thrift Server Protection Against POODLE SSL Vulnerability

More articles: