[
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14181342#comment-14181342
]
Bryan Pendleton commented on DERBY-6764:
----------------------------------------
It seems like our software is at the mercy of the underlying JDK's protocol
negotiation.
Stated positively, we always use the best crypto that the underlying JDK will
allow,
which seems like a good thing, and about the best we can do.
Perhaps we could have a bit of code which detected when the underlying JDK had
selected a crypto level which was less than the best possible (presumably due to
a client/server partner's JDK level which was lower than ours), and issue some
sort of trace or warning message noting that the partner software's JDK level
had
forced us to operate at a lower level of crypto security.
> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
> Key: DERBY-6764
> URL: https://issues.apache.org/jira/browse/DERBY-6764
> Project: Derby
> Issue Type: Task
> Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g.
> to eliminate support for SSL in favor of its successor TLS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
