[
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14181271#comment-14181271
]
Rick Hillegas commented on DERBY-6764:
--------------------------------------
As I understand the vulnerability now, the attack is mounted by a
man-in-the-middle, who can force the 2 sides to negotiate down to SSLv3. The
fix is to remove SSLv3 from one or both sides so that it can't be chosen ever.
Then the connection will fail if the man-in-the-middle tries to force SSLv3 on
the participants.
> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
> Key: DERBY-6764
> URL: https://issues.apache.org/jira/browse/DERBY-6764
> Project: Derby
> Issue Type: Task
> Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g.
> to eliminate support for SSL in favor of its successor TLS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
