Playframework does not pass PCI scans due to dangerous SSL ciphers
We recently failed a scan for PCI compliance (needed in order to be allowed for credit card transactions and such) because the SSL implementation of the play framework was considered vulnerable.
Framework version: 1.2.5
Platform you're using: linux
Runt tools like sslscan against your SSL enabled play application and see it.
The solution to this problem is to allow the user to specify the ciphers which are enabled in the SSL Engine.
I will do a push request asap.
Comments and changes to this ticket
(from [635925393d5c66d35c10733acda13297a95a4454]) [#1570] Allow setting of SSL ciphers as configuration option https://github.com/playframework/play/commit/635925393d5c66d35c1073...
(from [d825525c1dbec11964d74b7cc6eaac65ff2b1c03]) [#1570] Allow setting of SSL ciphers as configuration option https://github.com/playframework/play/commit/d825525c1dbec11964d74b...
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Play makes it easier to build Web applications with Java. It is a clean alternative to bloated Enterprise Java stacks. It focuses on developer productivity and targets RESTful architectures. Learn more on the http://www.playframework.org website.
Source code is hosted on githubCheck out our repository at http://github.com/playframework/play
Contributing, creating a patchPlease read the contributor guide
Reporting Security VulnerabilitiesSince all bug reports are public, please report any security vulnerability directly to guillaume dot bort at gmail dot com.
Creating a bug reportBug reports are incredibly helpful, so take time to report bugs and request features in our ticket tracker. We’re always grateful for patches to Play’s code. Indeed, bug reports with attached patches will get fixed far quickly than those without any.
Please include as much relevant information as possible including the exact framework version you're using and a code snippet that reproduces the problem.
Don't have too much expectations. Unless the bug is really a serious "everything is broken" thing, you're creating a ticket to start a discussion. Having a patch (or a branch on Github we can pull from) is better, but then again we'll only pull high quality branches that make sense to be in the core of Play.