[
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14195758#comment-14195758
]
ASF subversion and git services commented on DERBY-6764:
--------------------------------------------------------
Commit 1636509 from [~mamtas] in branch 'code/trunk'
[ https://svn.apache.org/r1636509 ]
DERBY-6764(analyze impact of poodle security alert on Derby client - server ssl
support)
Removed SSLv3 and SSLv2Hello from list of enabled protocols on the client and
server side to avoid poodle security breach. Also, changed NaiveTrustManager
to use TLS as the default protocol rather than SSL. If NaiveTrustManager used
SSL, then it won't find any enabled protocols for SSL after the removal of
SSLv3 and SSLv2Hello. Changing it to TLS makes TLS protocols available for
communication.
> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
> Key: DERBY-6764
> URL: https://issues.apache.org/jira/browse/DERBY-6764
> Project: Derby
> Issue Type: Task
> Reporter: Myrna van Lunteren
> Assignee: Mamta A. Satoor
> Attachments: DERBY6764_patch1_diff.txt, DERBY6764_patch1_stat.txt
>
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g.
> to eliminate support for SSL in favor of its successor TLS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
