[
https://issues.apache.org/jira/browse/GEODE-10297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534649#comment-17534649
]
Jacob Barrett commented on GEODE-10297:
---------------------------------------
When creating an {{SSLContext}} in {{SSLUtil}} we use the {{ssl-protocols}}
list to for the {{SSLContext}} instance. It loops over the list and returns the
first request that doesn't result in an exception. In the example case
{{TLSv1.2}} context is found first, which supports {{TLSv1.2}} as its newest
protocol.
> SSL protocol ordering can result in loss of newer protocol support.
> -------------------------------------------------------------------
>
> Key: GEODE-10297
> URL: https://issues.apache.org/jira/browse/GEODE-10297
> Project: Geode
> Issue Type: Bug
> Components: core
> Affects Versions: 1.12.9, 1.13.8, 1.14.4, 1.15.0, 1.16.0
> Reporter: Jacob Barrett
> Priority: Major
> Labels: blocks-1.15.0, needsTriage
>
> If {{ssl-protocols}} is listed with a older protocol version ahead of a newer
> the {{SSLContext}} used will support at most that weaker protocol.
> For example {{ssl-protocols=TLSV1.2,TLSv1.3,TLSv1.1}} will use the
> {{TLSv1.2}} {{SSLContext}}, which will not support, and silently ignore, the
> {{TLSv1.3}} configuration. The effective enabled protocols list will be
> {{TLSV1.2,TLSv1.1}}.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
