[OPENMEETINGS-2578] Update to enable TLS >=1.2 as default secure protocols

Question

[OPENMEETINGS-2578] Update to enable TLS >=1.2 as default secure protocols

NEUZhangy opened this issue 4 years ago · comments

Location:
in file openmeetings-web/src/main/java/org/apache/openmeetings/web/app/UserManager.java line 286, the SSL protocol is used in statement: SSLContext sc = SSLContext.getInstance("SSL");
Impact:
An SSL DDoS attack targets the SSL handshake protocol either by sending worthless data to the SSL server which will result in connection issues for legitimate users or by abusing the SSL handshake protocol itself.
Suggestions:
Upgrade the implementation to the “TLS”, and configure https.protocols JVM option to include TLSv1.2:
Useful links:
https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
https://www.appmarq.com/public/tqi,1039002,CWE-319-Avoid-using-Deprecated-SSL-protocols-to-secure-connection

Please share with us your opinions/comments if there is any:
Is the bug report helpful?

Maxim Solodovnik · Answer 1 · Wed Feb 17 2021 22:43:54 GMT+0800 (China Standard Time)

The protocol was changed to be TLSv1.2

thanks for the report!
the impact is minimal due to the code is used to perform OAuth only (to the servers with predefined URLs)