[
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14186957#comment-14186957
]
Mamta A. Satoor commented on DERBY-6764:
----------------------------------------
Following java program lists the supported protocols and enabled
protocols(enabled will be susbset of supported protocols). If it find SSLv3 as
one of the enabled protocols, then it removes that protocol from the list of
enabled protocols. This way, poddle security will not be able to force the
socket to use SSLv3. I will work on incorporating same idea in the Derby code.
Please let me know if anyone has any feedback. Thanks
public static void main(String[] args) throws Exception {
int port = 1234;
SSLServerSocketFactory factory = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
SSLServerSocket serverSocket = (SSLServerSocket)
factory.createServerSocket(port);
String[] protocols = serverSocket.getSupportedProtocols();
System.out.println( "Supported protocols are");
for ( int i = 0; i < protocols.length; i++ )
{
System.out.println( " " + protocols[ i ] );
}
String[] enabledProtocols = serverSocket.getEnabledProtocols();
System.out.println( "Enabled protocols are");
for ( int i = 0; i < enabledProtocols.length; i++ )
{
System.out.println( " " + enabledProtocols[ i ] );
}
//If SSLv3 is one of the enabled protocols, then remove it from the
// list of enabled protocols because of its security breach.
String[] sslv3RemovedProtocols = new String[enabledProtocols.length];
int sslv3RemovedProtocolsCount = 0;
boolean foundSSLv3=false;
for ( int i = 0; i < enabledProtocols.length; i++ )
{
if (!enabledProtocols[i].toUpperCase().contains("SSLV3")) {
sslv3RemovedProtocols[sslv3RemovedProtocolsCount] =
enabledProtocols[i];
sslv3RemovedProtocolsCount++;
} else
foundSSLv3=true;
}
String[] enabledProtocolsSSLv3Removed = null;
if(foundSSLv3) {
enabledProtocolsSSLv3Removed = new
String[(sslv3RemovedProtocols.length)-1];
System.arraycopy(sslv3RemovedProtocols, 0,
enabledProtocolsSSLv3Removed, 0, (sslv3RemovedProtocols.length)-1);
serverSocket.setEnabledProtocols(enabledProtocolsSSLv3Removed);
}
enabledProtocols = serverSocket.getEnabledProtocols();
System.out.println( "This enabled protocols list should not have SSLv3
");
for ( int i = 0; i < enabledProtocols.length; i++ )
{
System.out.println( " " + enabledProtocols[ i ] );
}
}
When I ran this program with IBM's jdk 1.6, I got following results
Supported protocols are
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Enabled protocols are
SSLv3
TLSv1
This enabled protocols list should not have SSLv3
TLSv1
> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
> Key: DERBY-6764
> URL: https://issues.apache.org/jira/browse/DERBY-6764
> Project: Derby
> Issue Type: Task
> Reporter: Myrna van Lunteren
> Assignee: Mamta A. Satoor
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g.
> to eliminate support for SSL in favor of its successor TLS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
