[jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support

Tue, 21 Oct 2014 23:17:51 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14179626#comment-14179626
 ] 

Mamta A. Satoor commented on DERBY-6764:
----------------------------------------

I modified Rick's java program in my environment to list the provider info for 
SSL and TLS. It turns out that the provider is the same for both SSL and TLS 
protocols.  
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLContext;
public class MamtaJDBC { 
    public static void main(String[] args) throws Exception {
        int     port = 1234;
        SSLServerSocketFactory factory = (SSLServerSocketFactory) 
SSLServerSocketFactory.getDefault();

        SSLServerSocket serverSocket = (SSLServerSocket) 
factory.createServerSocket(port);

        String[] protocols = serverSocket.getSupportedProtocols();
        System.out.println( "Supports protocol for getDefault are");
        for ( int i = 0; i < protocols.length; i++ )
        {
            System.out.println( "    " + protocols[ i ] );
        }
        
        System.out.println( "ssl provider is " + 
SSLContext.getInstance("SSL").getProvider().getInfo());
        System.out.println( "tls provider is " + 
SSLContext.getInstance("TLS").getProvider().getInfo());
    }
}


The output of this program when run with IBM jdk 1.7 is as follows
$ java org.apache.derbyTesting.functionTests.tests.lang.MamtaJDBC
Supports protocol for getDefault are
    SSLv3
    TLSv1
    TLSv1.1
    TLSv1.2
ssl provider is IBM JSSE provider2 (implements IbmX509 key/trust factories, 
SSLv3, TLSv1)
tls provider is IBM JSSE provider2 (implements IbmX509 key/trust factories, 
SSLv3, TLSv1)

Since explicit request for SSL protocol returns TLS implementations as well, we 
should be ok with Derby code explicitly asking for 'SSL' and we do not need to 
make any changes for TLS.  If the jdk provides TLS implementations then we will 
get those TLS implementations through SSL protocol request. 


> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>            Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability 
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. 
> to eliminate support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to