crossbar
crossbar copied to clipboard
crossbario
Allow to configure permissible TLS protocol versions
Currently, the TLS protocol version to use is hard-coded to TLS v1.2 - and only that - here.
It's using twisted.internet.ssl.CertificateOptions.
It would be nice to allow users to configure a list of TLS protocol versions.
However, this depends on this Twisted issue being fixed.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
I'll bump that to "bug level" as it affects users (stuff that did work now doesnt anymore)
@hawkowl Any idea if/when Twisted would move forward rgd http://twistedmatrix.com/trac/ticket/6800?
If not, the stop gap solution for us would be to either default back to anything TLS >= 1.0 or to have a single (temporary?) switch where I can only chose between "TLS>=1.0" or "strictly TLS 1.2" ...
I can help move that ticket forward, just a matter of manpower :) On 8 Apr 2016 21:33, Tobias Oberstein [email protected] wrote:@hawkowl Any idea if/when Twisted would move forward rgd http://twistedmatrix.com/trac/ticket/6800?
If not, the stop gap solution for us would be to either default back to anything TLS >= 1.0 or to have a single (temporary?) switch where I can only chose between "TLS>=1.0" or "strictly TLS 1.2" ...
—You are receiving this because you were mentioned.Reply to this email directly or view it on GitHub
@hawkowl Yeah, as rock solid "security" is a top prio for CB, that would be awesome (means: we are sponsoring time for you to work on that).
However, as I am currently cleaning up issues, there are also a couple of remaining issues related to Python 3 / HTTP bridge / logging : https://github.com/crossbario/crossbar/issues?q=is%3Aopen+is%3Aissue+label%3Abug ;)
Some of these I would guess are not much work .. eg https://github.com/crossbario/crossbar/issues/604 - Last week (at that customer), I wanted to quickly hack together calling out (HTTP) from within PostgreSQL to CB'S REST bridge .. and ran into this.
I would love to "finish" our efforts rgd Py 3 and the new shiny logging (now that its in txaio, and most design/technical questions have been answered).
It's time for a "1.0" ..
Great! So we can in turn let Crossbar.io users choose a specific set of TLS versions. Nice.
FWIW, right now, I am leaning towards explicitly NOT allowing users to configure anything <TLS v1.2. Just to protect the innocent;)
And before someone complains: yeah, I am aware of old Java <7, Windows XP, Android <4.1 etc - all of that is broken shit that should die out immediately. TLS 1.2 was released 2008 .. nearly 10 years ago.
TLS 1.1 still seems to be supported by default ... or am I missing something? I'm running crossbar for my app at work and they tell me that scans show it supports TLS 1.1, so I checked crossbar running in my dev environment using nmap with the "ssl-enum-ciphers" option and it reports that TLSv1.1 and TLSv1.2 are both available ... is there a way to configure it to prohibit TLS 1.1?
I see that the latest code in crossbar common/twisted/endpoint.py has raiseMinimumTo=TLSVersion.TLSv1_1 ... so it seems it would be a simple change to make that TLSv1_2 ...