[jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support

Fri, 17 Oct 2014 06:19:50 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14175043#comment-14175043
 ] 

Rick Hillegas commented on DERBY-6764:
--------------------------------------

The vulnerability is described here: 
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability and 
http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/.
 If I understand correctly, the solution is to not offer SSLv3 as an option. 
The following program displays the protocols supported by the JVM:

{noformat}
import java.util.Arrays;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;

public class SSLVersion
{
    public  static  void    main( String... args ) throws Exception
    {
        int     port = 1234;
        SSLServerSocketFactory factory = (SSLServerSocketFactory) 
SSLServerSocketFactory.getDefault();

        SSLServerSocket serverSocket = (SSLServerSocket) 
factory.createServerSocket(port);

        String[] protocols = serverSocket.getSupportedProtocols();
        System.out.println( "Supported protocols are " + Arrays.asList( 
protocols ) );
    }
}
{noformat}

Here is the result of running this program on Oracle Java 1.4, 6, 7, 8:

Java 1.4: Supported protocols are [SSLv2Hello, SSLv3, TLSv1]

Java 6: Supported protocols are [SSLv2Hello, SSLv3, TLSv1]

Java 7: Supported protocols are [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]

Java 8: Supported protocols are [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]

If the algorithm is to pick the highest version supported by both sides of the 
connection, then Derby should always use at least TLSv1. That protocol does not 
suffer from the poodle vulnerability.

> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>            Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability 
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. 
> to eliminate support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to