[jira] [Updated] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support

Fri, 31 Oct 2014 16:03:57 -0700 

     [ 
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mamta A. Satoor updated DERBY-6764:
-----------------------------------
    Attachment: DERBY6764_patch1_stat.txt
                DERBY6764_patch1_diff.txt

Attaching a patch(DERBY6764_patch1_diff.txt) for this jira. It basically 
implements in Derby code what has been discussed in the Java example above. It 
goes through list of enabled protocols, removes SSLv3 and SSLv2Hello from list 
of enabled protocols. 

One thing that was causing problem is that NaiveTrustManager was using SSL as 
shown below for SSL basic implementation in Derby. 
SSLContext ctx = SSLContext.getInstance("SSL");
With above code, if we remove SSLv3 and SSLv2Hello, there are no enabled 
protocols left. And client would give following exception when trying to 
connect to the server 
Exception in thread "main" java.lang.Exception: DRDA_NoIO.S:Could not connect 
to Derby Network Server on host 127.0.0.1, port 1527: No appropriate protocol
To fix the problem, I have changed NaiveTrustManager to use TLS rather than 
SSL. With this, we now have TLS protocols enabled and hence client can make 
connection to the server. If anyone sees issues with changing from SSL to TLS 
in NaiveTrustManager , please let me know. I have fired the junit suite and 
next will run derbyall. Please let me know if there is any feedback on the 
patch. Thanks


> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>            Reporter: Myrna van Lunteren
>            Assignee: Mamta A. Satoor
>         Attachments: DERBY6764_patch1_diff.txt, DERBY6764_patch1_stat.txt
>
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability 
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. 
> to eliminate support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to