[jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support

Tue, 21 Oct 2014 11:12:59 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14178768#comment-14178768
 ] 

Mamta A. Satoor commented on DERBY-6764:
----------------------------------------

Just want to discuss one scenario on this issue.

There is just one piece of code in Derby both on client and server side where 
rather than getting the default protocol, we specifically ask for 'ssl'. That 
code is in NaiveTrustManager both on the client and server side. 
org.apache.derby.client.net.NaiveTrustManager
org.apache.derby.impl.drda.NaiveTrustManager

Between client and server, they can choose to
1)clear text exchanges
2)ssl/tls encryption but no peer authentication and
3)ssl/tls encryption and peer authentication 

For the second scenario(ssl encryption but no peer authentication), 
NaiveTrustManager  gets used. And NaiveTrustManager  specifically asks for 
SSLContext.getInstance("SSL"). I wonder what version of ssl gets used in this 
scenario. For eg, lets say both client and server are using java version 
"1.7.0" which supports following protocols
 Java(TM) SE Runtime Environment (build pwi3270sr7-20140410_01(SR7))
 IBM J9 VM (build 2.6, JRE 1.7.0 Windows 7 x86-32 20140409_195732 (JIT enabled, 
AOT enabled)
 Supports protocol SSLv3
 Supports protocol TLSv1
 Supports protocol TLSv1.1
 Supports protocol TLSv1.2

will we picking SSLv3 rather than TLSv1.2 since NaiveTrustManager specifically 
asked for SSL?

> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>            Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability 
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. 
> to eliminate support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to