Bump default TLS protocol version to TLS v1.1 or v1.2 #139
Comments
|
TLS 1.1 means dropping JDK 6 compatibility. We cannot do that before Spring does.
|
|
I'm not suggesting TLS 1.1, per se. I'm saying that you shouldn't explicitly set the SSL protocol version by default. It's certainly something that should be configurable. Let the JDK decide what SSL protocol version should be used by default. This maintains compatibility with all the JDKs and makes it easier for users and operators to update how they use TLS as the protocol evolves. |
|
There has to be a default. Relying only on 3rd parties is a recipe for support disaster for our small team. On JDK 6 it's likely SSLv3. This needs further investigation.
|
|
Why does Rabbit need to specify a default SSL version to avoid "support disaster" but so many other clients don't? I haven't seen any REST clients experiencing support armageddon because they rely on the JDK SSL defaults. On the contrary, it seems like you're opening yourself up to a support problem given that the Rabbit documentation recommends turning off TLSv1 which breaks the Java client. |
|
@mheath FWIW our team does support 5 (if not 7) days a week and this is the first time it was brought up. Anyhow, we can make the default to be TLSv1.1 on JDK versions that support it. Feel free to verify this. |
michaelklishin
changed the title
|
Why not just use the JDK default like this mheath@821f4fc#diff-561180cfd014fa3a18859e3f18243f6d If you want to tweak the TLS version used by the app, you can use the builtin system property to do so without changing your Java code (i.e. |
|
@mheath we can do that if JDK 6 and 7 default is at least TLSv1. Thank you for the feedback. |
|
Here's a table with all the defaults/supported TLS versions for JDK 6, 7, and 8. https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https Thanks Michael! |
|
We have a patch that sets the default to TLS v1.2 and falls back to TLS v1.0 if that version isn't supported (e.g. on JDK 6 prior to the most recent patch set). It will be submitted as a PR and QA'ed as time permits. |
michaelklishin
changed the title
|
Finally backported this to |
Many Rabbit servers disable TLSv1 because of the warnings about the BEAST attack here: https://www.rabbitmq.com/ssl.html
Since TLSv1 is the default, https://github.com/rabbitmq/rabbitmq-java-client/blob/master/src/main/java/com/rabbitmq/client/ConnectionFactory.java#L85, attempting to connect to a Rabbit server with TLSv1 disabled results in a
javax.net.ssl.SSLException: Received fatal alert: protocol_versionexception.Does it still make sense to make TLSv1 the default? Would it make more sense to stick with the platform default rather than set this explicitly?
The text was updated successfully, but these errors were encountered: