[jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support

Thu, 16 Oct 2014 16:38:42 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174464#comment-14174464
 ] 

Mike Matrigali commented on DERBY-6764:
---------------------------------------

To start I don't have a lot expertise in security part of Derby, so welcome 
others to set me straight,
but here is what I think so far:

after some web research and derby code research it looks to me like derby when 
configured to use ssl
just picks the "default" ssl.  I think this means it follows the standard 
handshake which something like:
Client hello - The client sends the server information including the highest 
version of SSL it supports and a list of the cipher suites it supports. (TLS 
1.0 is indicated as SSL 3.1.) The cipher suite information includes 
cryptographic algorithms and key sizes.
Server hello - The server chooses the highest version of SSL and the best 
cipher suite that both the client and server support and sends this information 
to the client.

So whether derby is affected is dependent solely the JVM versions and JVM 
settings rather than anything set
in Derby.  

For ibm jvms if you are running with no special flags, and running at or above 
ibm16 you should not be affected.
At least in the ibm jvm's there are various optional flags that can be used to 
set specific ssl versions, so you 
can be affected if you are using those flags to specifically choose older 
versions of ssl.  Also note in ibm16 there
were changes to ssl in release fix packs, and these comments apply to the 
latest version of the ibm 16 release
which has tls 1.0.

I have not looked at oracle jvm flags.

I

> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>            Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability 
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. 
> to eliminate support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to